xhost and its possible security issues?

Spartrekus

Spartrekus

Hello,

Thinking about security, I may believe that xhost may be a potential dangerous programme, which may be a security issue.

Any hands give "xhost +", and anyone logged in may do absolutely anything if another user is using the machine at the same time. An hacker could take chance to get many things out of this app.

Just some thinking...
 
Spartrekus said:
Any hands give "xhost +", and anyone logged in may do absolutely anything if another user is using the machine at the same time. An hacker could take chance to get many things out of this app.
Click to expand...

Better use % xhost +si:localuser:[I]specificusername[/I]
Replace "specificusername" with something you use.
Then it won't give acces to anyone, except "specificusername" on local machine.
 
The nice thing about UNIX(-like) systems is that they'll never stop you from shooting yourself in the foot.

Code: 
       The xhost program is used to add	and delete host	names or user names to
       the list	allowed	to make	connections to the X server.  In the  case  of
       hosts,  this  provides  a rudimentary form of privacy control and secu-
       rity.  It is only sufficient for	a workstation (single  user)  environ-
       ment,  although	it  does  limit	 the worst abuses.  Environments which
       require more sophisticated measures  should  implement  the  user-based
       mechanism  or use the hooks in the protocol for passing other authenti-
       cation data to the server.
From xhost(1)

The issues with xhost(1) have been known for at least 20 years, if not longer.
 
Also it is possible to use ssh to launch GUI apps as another user,
just add your user ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys of user,
from wich you want to start applications, then start your GUI apps with
% ssh -Y [I]specificusername[/I]@0 and then launch your app,
or % ssh -Y [I]specificusername[/I]@0 appname.

Also you need to add sshd_enable="YES" to /etc/rc.conf and then start sshd with # service sshd start.
Aslo "X11Forwarding" should be enabled in /etc/ssh/sshd_config (enabled by default in FreeBSD).

Also it is possible to use specificusername password, when using ssh, but I do not recommend using passwords when using ssh, better disable "PasswordAuthentication" and "ChallengeResponseAuthentication" in /etc/ssh/sshd_config and use only public keys when using ssh.
 
You must log in or register to reply here.
Back
Top