[Techtalk] Security Issue:disallowing external access to X windows

Jeff Dike jdike at karaya.com
Thu Sep 13 19:37:47 EST 2001


rstarceski at redcreek.com said:
> I have my ipchains rule setup to disallow external access to X
> windows.  In this system we only want X to be run on the console.

Are you disallowing the running of X clients on the system that display on
other machines, or disallowing the display of remote X clients on the local
X server?

Preventing other machines from displaying on your server can be done by
preventing the server from using TCP as already mentioned.

If you don't want your X clients displaying to other machines, that sounds
a bit trickier.  I have a hazy recollection that logging in on a certain
terminal (such as the console) could give you membership in a specific group.
If this is so, then you could make all the X clients (or maybe the X libraries)
executable by only members of that group.  This would effectively prevent
anyone not logged in on the console from running X apps remotely.

You'd have to configure sshd to not forward X connections because that would
evade the ipchains rules you've set up, I think.  And, I'm suspicious that
with ssh -L, you could set up X forwarding even with ssh X connection 
forwarding disabled.

Plus, you might be able to tunnel X over other things like netcat.

				Jeff





More information about the Techtalk mailing list