[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: X11 security (Was: 2.1.1 and xterm)

Subject: Re: X11 security (Was: 2.1.1 and xterm)
From: Ben Byer <email@hidden>
Date: Sun, 16 Dec 2007 05:24:50 -0800
Delivered-to: email@hidden
Delivered-to: email@hidden

On Dec 16, 2007, at 2:35 AM, Harald Hanche-Olsen wrote:

+ William Davis <email@hidden>:

It is also more secure since part of the DISPLAY value is randomly
set -- a possible intruder cant make any useful assumptions about
where the display socket is.


That is called security by obscurity, which is generally not very
secure at all.  In this case, running ls -lrtd /tmp/launch* gives a
pretty good indication of what to try.  Oh, but on the other hand
those directories are readable only by their owners, so that is not a
viable way into the user's X server anyhow.

Right. This is actually a security feature, but against a different attack. If I know the name of the directory you put your sockets in, then if you haven't already created a socket, I can try to make the directory and trick you into using a socket I control.

If you want real security against other users with shell access on
your machine, I think you will have to remove /tmp/.X11-unix/X0 or at
least do:  chmod 700 /tmp/.X11-unix/X0

Actually, this seems to be a security hole.  Shouldn't the socket in
/tmp/.X11-unix/X0 be mode 700 by default?  On other unixes it is
usually not, since there is also the TCP socket on port 6000 for which
unix permissions don't make any sense, so you need some form of xauth
access control anyhow.

Perhaps. As you've noted, generally xauth prevents this from being a real problem, because another user won't be able to talk to your X server even if they can write to your socket. We've thought about moving that socket to its own specially (randomly, securely) created socket to increase security (and then updating Xtrans to be able to find it), but I'm a bit reluctant to make such a change while we still are coping with the launchd change.

(FYI --- there is a special case where you do not need a valid xauth cookie to connect to the X server via the launchd socket. This prevents a race condition upon launch the first X client app, and is still secure since launchd guarantees us that it will securely create that socket.) -- Ben Byer CoreOS / BSD Technology Group, XDarwin maintainer

_______________________________________________
Do not post admin requests to the list. They will be ignored.
X11-users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/x11-users/email@hidden

This email sent to email@hidden

References:
	>Re: 2.1.1 and xterm (From: "John Koren" <email@hidden>)
	>Re: 2.1.1 and xterm (From: Merle Reinhart <email@hidden>)
	>Re: 2.1.1 and xterm (From: William Davis <email@hidden>)
	>X11 security (Was: 2.1.1 and xterm) (From: Harald Hanche-Olsen <email@hidden>)

Prev by Date: Re: 2.1.1 and xterm
Next by Date: Re: 2.1.1 and xterm
Previous by thread: X11 security (Was: 2.1.1 and xterm)
Next by thread: Re: 2.1.1 and xterm
Index(es):
- Date
- Thread

Home