xhost + is a huge security hole
March 2nd, 2007
Maybe you have a firewall in your company, only your PC can access the production server, only you have the root password in prod, and your company spend a lot of money in security, but you dare using xhost +.
This is a huge security hole, because it gives anyone access to your X resources, not only your display, but also your mouse and your keyboard, so anyone can read/modify/corrupt what you are typing/clicking. It is a bad habit to use xhost+. Even using xhost +localhost give access to your keyboard to anyone on localhost…
So what else could you use ?
The simplest is probably ssh tunnelling.
lsc@chltlxlsc:~> ssh -X oracle@localhost Last login: Fri Max 2 10:24:09 2007 from localhost oracle@chltlxlsc:~> xterm -e true && echo success success
Another way to do this is to use X cookies.
lsc@chltlxlsc1:~> xauth extract ~/my-x-cookie $DISPLAY< lsc@chltlxlsc1:~> setfacl -m u:oracle:r ~/my-x-cookie lsc@chltlxlsc1:~> su - oracle -c "DISPLAY=$DISPLAY bash" Password: oracle@chltlxlsc1:~> xterm -e true && echo success Xlib: connection to ":0.0" refused by server Xlib: No protocol specified xterm Xt error: Can't open display: :0.0 oracle@chltlxlsc1:~> xauth merge ~lsc/my-x-cookie xauth: creating new authority file ~oracle/.Xauthority oracle@chltlxlsc1:~> xterm -e true && echo success success
No need to type all. Here is my alias
alias oracle=' xauth extract $HOME/my-x-cookie $DISPLAY; setfacl -m u:oracle:r $HOME/my-x-cookie; su - oracle -c "export DISPLAY=$DISPLAY; xauth merge $HOME/my-x-cookie; bash"'
In my opinion, SSH tunneling is the way to go.
Thanks for sharing this information for those moving from Windows to Linux.
yes, sometimes it is a way to go. But not always possible (sometimes you cannot login with ssh directly and are required to do a su).
Also it is not supported for clusterware installation
http://download.oracle.com/docs/cd/B28359_01/install.111/b28263/prelinux.htm#BABDFDJI