xhost and its possible security issues?

Spartrekus

Well-Known Member

Thanks: 45
Messages: 303

#1
Hello,

Thinking about security, I may believe that xhost may be a potential dangerous programme, which may be a security issue.

Any hands give "xhost +", and anyone logged in may do absolutely anything if another user is using the machine at the same time. An hacker could take chance to get many things out of this app.

Just some thinking...
 

ILUXA

Aspiring Daemon

Thanks: 348
Messages: 566

#2
Any hands give "xhost +", and anyone logged in may do absolutely anything if another user is using the machine at the same time. An hacker could take chance to get many things out of this app.
Better use % xhost +si:localuser:specificusername
Replace "specificusername" with something you use.
Then it won't give acces to anyone, except "specificusername" on local machine.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,335
Messages: 27,504

#3
The nice thing about UNIX(-like) systems is that they'll never stop you from shooting yourself in the foot.

Code:
       The xhost program is used to add	and delete host	names or user names to
       the list	allowed	to make	connections to the X server.  In the  case  of
       hosts,  this  provides  a rudimentary form of privacy control and secu-
       rity.  It is only sufficient for	a workstation (single  user)  environ-
       ment,  although	it  does  limit	 the worst abuses.  Environments which
       require more sophisticated measures  should  implement  the  user-based
       mechanism  or use the hooks in the protocol for passing other authenti-
       cation data to the server.
From xhost(1)

The issues with xhost(1) have been known for at least 20 years, if not longer.
 

ILUXA

Aspiring Daemon

Thanks: 348
Messages: 566

#4
Also it is possible to use ssh to launch GUI apps as another user,
just add your user ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys of user,
from wich you want to start applications, then start your GUI apps with
% ssh -Y specificusername@0 and then launch your app,
or % ssh -Y specificusername@0 appname.

Also you need to add sshd_enable="YES" to /etc/rc.conf and then start sshd with # service sshd start.
Aslo "X11Forwarding" should be enabled in /etc/ssh/sshd_config (enabled by default in FreeBSD).

Also it is possible to use specificusername password, when using ssh, but I do not recommend using passwords when using ssh, better disable "PasswordAuthentication" and "ChallengeResponseAuthentication" in /etc/ssh/sshd_config and use only public keys when using ssh.
 
Top