xhost + is a huge security hole

Maybe you have a firewall in your company, only your PC can access the production server, only you have the root password in prod, and your company spend a lot of money in security, but you dare using xhost +.

This is a huge security hole, because it gives anyone access to your X resources, not only your display, but also your mouse and your keyboard, so anyone can read/modify/corrupt what you are typing/clicking. It is a bad habit to use xhost+. Even using xhost +localhost give access to your keyboard to anyone on localhost…

So what else could you use ?

The simplest is probably ssh tunnelling.

[email protected]:$ ssh -X [email protected]
Last login: Fri Max 2 10:24:09 2007 from localhost
[email protected]:$ if xterm -e true; then echo success; fi
success

Another way to do this is to use X cookies.

[email protected]:$ xauth extract ~/my-x-cookie $DISPLAY< [email protected]:$ setfacl -m u:oracle:r ~/my-x-cookie [email protected]:$ su - oracle -c "DISPLAY=$DISPLAY bash" Password: [email protected]:$ if xterm -e true; then echo success; fi Xlib: connection to ":0.0" refused by server Xlib: No protocol specified xterm Xt error: Can't open display: :0.0 [email protected]:$ xauth merge ~lsc/my-x-cookie xauth: creating new authority file ~oracle/.Xauthority [email protected]:$ if xterm -e true; then echo success; fi success

No need to type all. Here is my alias

alias oracle='
xauth extract $HOME/my-x-cookie $DISPLAY;
setfacl -m u:oracle:r $HOME/my-x-cookie;
su - oracle -c "export DISPLAY=$DISPLAY;
xauth merge $HOME/my-x-cookie;
bash"'

3 thoughts on “xhost + is a huge security hole

  1. WARnux

    In my opinion, SSH tunneling is the way to go.

    Thanks for sharing this information for those moving from Windows to Linux.

  2. Pingback: Laurent Schneider » xhost+ security hole part 2

Comments are closed.