[1567] in linux-security and linux-alert archive
[linux-security] How to protect X sessions?
daemon@ATHENA.MIT.EDU (Timo Felbinger)
Sun Jun 1 02:13:58 1997
Date: Sat, 31 May 1997 13:33:47 +0200 (MET DST)
From: Timo Felbinger <felbing@pandora.physik.uni-konstanz.de>
Reply-To: Timo.Felbinger@uni-konstanz.de
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Hello,
the way most Linux (and not only Linux) systems are administrated
opens up huge security loopholes: usually, I start X once after
reboot and have it running till next shutdown, only temporarily
locked via xlock, with lots of windows permanently open.
Critical administrative tasks, even for remote machines, are
performed in xterms, with lots of other applications running on
the same desktop at the same time. I am sure almost everyone
does it that way.
Running insecure applications (in particular, netscape with Java
enabled) under a separate account can be one step but still leaves
one big loophole open: all applications must be given permission
to connect to the X server, which can easily be exploited e.g. to
read all keyboard input.
One obvious workaround would be to run several X servers in parallel.
This can indeed be done using Xnest, which is a server on its own but
runs as a client in a window of the "real" server. It seems to maintain
two separate sets of magic cookies: one to connect to its server, and
another one which clients have to use to connect to Xnest.
Is it a good idea to run suspicious programs "in a box", i.e., under
a different account with access only to the display provided by Xnest,
isolating them from the "real" server? In particular, will this procedure
reliably hide mouse and keyboard events taking place outside of the Xnest
window from such programs?
Regards,
Timo Felbinger