[Techtalk] Security Issue:disallowing external access to X windows
Almut Behrens
almut_behrens at yahoo.com
Fri Sep 14 01:02:48 EST 2001
On Thu, Sep 13, 2001 at 02:47:24PM -0700, Rita Starceski wrote:
> Hi Folks,
>
> I have my ipchains rule setup to disallow external access to X windows. In
> this system we
> only want X to be run on the console. Are there other things I can do so
> that the users
> can't use X on my system other than on the console ?
If it's XFree-4 and you have a file XWrapper.config (in debian it's
in /etc/X11/, for example), you could put "allowed_users=console"
in there (possible values: console,rootonly,anybody). At least this
applies when starting X via startx, not sure about xdm/kdm/gdm, though.
Also, if it's not already set up this way, you might want to disable
tcp support for the Xserver (option "-nolisten tcp"). Should be placed
in some startup script for X -- e.g. /etc/X11/xinit/xserverrc, probably
depending on the distro). This will make the Xserver *not* listen on
ports 6000+ for network connections, but rather only allow connections
via unix domain sockets (i.e. the socket files /tmp/.X11-unix/XN, with
N being the display number).
HTH,
- Almut
More information about the Techtalk
mailing list