[Techtalk] Security Issue:disallowing external access to X windows
Jeff Dike
jdike at karaya.com
Thu Sep 13 19:37:47 EST 2001
rstarceski at redcreek.com said:
> I have my ipchains rule setup to disallow external access to X
> windows. In this system we only want X to be run on the console.
Are you disallowing the running of X clients on the system that display on
other machines, or disallowing the display of remote X clients on the local
X server?
Preventing other machines from displaying on your server can be done by
preventing the server from using TCP as already mentioned.
If you don't want your X clients displaying to other machines, that sounds
a bit trickier. I have a hazy recollection that logging in on a certain
terminal (such as the console) could give you membership in a specific group.
If this is so, then you could make all the X clients (or maybe the X libraries)
executable by only members of that group. This would effectively prevent
anyone not logged in on the console from running X apps remotely.
You'd have to configure sshd to not forward X connections because that would
evade the ipchains rules you've set up, I think. And, I'm suspicious that
with ssh -L, you could set up X forwarding even with ssh X connection
forwarding disabled.
Plus, you might be able to tunnel X over other things like netcat.
Jeff
More information about the Techtalk
mailing list