LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/XWindow-User-HOWTO/xsecurity.html

329 lines
5.8 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML
><HEAD
><TITLE
>X Networking and Security</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="The X Window User HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="X and the Command Line"
HREF="cli.html"><LINK
REL="NEXT"
TITLE="Performance Considerations"
HREF="performance.html"></HEAD
><BODY
CLASS="sect1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>The X Window User HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="cli.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="performance.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="xsecurity"
></A
>8. <SPAN
CLASS="application"
>X</SPAN
> Networking and Security</H1
><P
>&#13; As mentioned, <SPAN
CLASS="application"
>X</SPAN
> is essentially a networking
protocol with graphical displaying capabilities. This makes for some
interesting usage possibilities. And also means there are inherent security
considerations, as there is with any networking environment. And if you ever
connect to the Internet, you are in the midst of one very large, hostile
network ;-)
</P
><P
>&#13; X clients connect to X servers via various networking protocols, including
TCP/IP. Even with just local connections. Possible usages here are to run an
application on one computer, and display it on another. Or, to actually log
in to a remote system, and have it display to your local screen, with the
client apps using the remote system's CPU and RAM.
</P
><P
>&#13; Without any precautions, this can leave you wide open to various types of
mischief and abuse. For instance, anyone logged into to your system can
access your <SPAN
CLASS="QUOTE"
>"display"</SPAN
>, meaning they can see what you are doing
if they want to. Thankfully, most recent Linux releases come with some
default security precautions enabled. But it is best to make sure for
yourself that you are protected.
</P
><P
>&#13; Both <SPAN
CLASS="application"
>X</SPAN
> networking and security are nicely covered
in <A
HREF="http://tldp.org/HOWTO/Remote-X-Apps.html"
TARGET="_top"
>The Remote X Apps Mini HOWTO
</A
>,
so we shall not need to try to rehash it here. Recommended reading. See other
references in the <A
HREF="appendix.html#links"
>Links section</A
> of the
Appendix below.
</P
><P
>&#13; A few recommended precautions:
</P
><P
>&#13; <P
></P
><UL
><LI
><P
>&#13; Never, ever run <SPAN
CLASS="application"
>X</SPAN
> as root. The number of bad
things that can happen, dramatically increases when logged in as root.
Learn to run as much as possible as a regular user, and su to root only
when needed. This may sound like a lot of extra work (and probably is at
first), but once the <SPAN
CLASS="QUOTE"
>"right"</SPAN
> way of doing things is learned,
it soon becomes second nature.
</P
><P
>&#13; A brief anecdote from a friend: he had a client who's new system stopped
<SPAN
CLASS="QUOTE"
>"working"</SPAN
>. Curiously, he found the entire
<TT
CLASS="filename"
>/dev</TT
> directory was missing, which he re-installed and
all was well again. He was back a few days later and found the system
logged in as root to <SPAN
CLASS="application"
>X</SPAN
>, and someone had clicked
on <TT
CLASS="filename"
>/dev</TT
> in the file manager, and dragged it onto the
desktop. Smooth move!
</P
></LI
><LI
><P
>&#13; If you ever connect to a network with untrusted users, be sure to have a
firewall between you and them. This goes double for the Internet.
Firewalling is beyond the scope of this document, but is covered in many
other places, including your vendor's website. <A
HREF="http://linuxdoc.org"
TARGET="_top"
>http://linuxdoc.org</A
> has several security
HOWTOs that can help as well. <A
HREF="http://linuxsecurity.com/docs/"
TARGET="_top"
>http://linuxsecurity.com/docs/</A
>
is another good place to look.
</P
></LI
><LI
><P
>&#13; You can disable TCP connections with the <SPAN
CLASS="QUOTE"
>"-nolisten tcp"</SPAN
>
command line X server switch. This does not help for local connections
though. For <B
CLASS="command"
>xinit/startx</B
>:
</P
><P
>&#13; <TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;
exec X :0 -dpi 100 -nolisten tcp
</PRE
></FONT
></TD
></TR
></TABLE
>
</P
><P
>&#13; Placed in <TT
CLASS="filename"
>~/.xserverrc</TT
>. And for <B
CLASS="command"
>xdm</B
>,
in <TT
CLASS="filename"
>/usr/lib/X11/xdm/Xservers</TT
>:
</P
><P
>&#13; <TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;
:0 local /usr/X11R6/bin/X :0 -nolisten tcp
</PRE
></FONT
></TD
></TR
></TABLE
>
</P
></LI
></UL
>
</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="cli.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="performance.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>X and the Command Line</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Performance Considerations</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink