LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 01-24-2012, 09:06 AM   #1
Cyrolancer
Member
 
Registered: Jan 2012
Distribution: Debian
Posts: 52

Rep: Reputation: Disabled
Question X-server on a LAMP stack


Hello LQ people,

I want to ask a question on X-server. I am planning to install it on a LAMP stack. I need it for a script that I am planning to use for HTML -> JPG conversion.

The thing I want to learn is, how x-server can cause problems or security issues or any other things that I cannot think at the moment, on a LAMP stack.

Thanks in advance.
 
Old 01-24-2012, 11:58 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by Cyrolancer View Post
how x-server can cause problems or security issues or any other things that I cannot think at the moment, on a LAMP stack.
Best check the CVE list: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Xorg. X11 / Xorg runs as root and has been known for years to be a problem child due to the way it needs privileged access to system memory. Any client allowed to connect to the X server may cause all kinds of Interesting Things in a vulnerable version ranging from memory and data corruption to privilege escalation to outright executing commands as root. You should disable network access with "-nolisten tcp" (use VNC over SSH instead if you need to remotely access it), never run with "-ac", if yours can run with "-auth" then use it, ensure only authorized users have system access and use xhost and xauth. In some cases an exploit can be made harder by for instance disabling extensions you might not need. Apart from security issues a headless server shouldn't have a X server installed, a running X server will hog system resources and simply put more installed packages may mean more maintenance.
 
1 members found this post helpful.
Old 01-24-2012, 01:47 PM   #3
okcomputer44
Member
 
Registered: Jun 2008
Location: /home/laz
Distribution: CentOS/Debian
Posts: 241

Rep: Reputation: 51
Quote:
The thing I want to learn is, how x-server can cause problems or security issues or any other things that I cannot think at the moment, on a LAMP stack.
Hi,

If I were you I rather not spend any time on this "project" because at the end you wont use the X.
VPS supplier companies are not even install X by default and no any way to get it either. Datacenter's costumers with a real server don't use it either.

Basically you can manage the server from terminal 100%. So the X just uses lots of resource and makes the system more vulnerable. That means when you need to trace any problems on your server that will become more complex because of the X window threads.

However you can use X of course if you need for some reason but I'd say try to not to use it.
I know it sounds strange and "terrible" just to use the terminal but you can get rid of many problems on a server without the X.
 
1 members found this post helpful.
Old 01-24-2012, 03:09 PM   #4
Cyrolancer
Member
 
Registered: Jan 2012
Distribution: Debian
Posts: 52

Original Poster
Rep: Reputation: Disabled
Hello unSpawn and okcomputer44. Thank you for your assistance about this topic.

I have asked several questions about my project and Nominal Animal has answered most of the questions I have. (http://www.linuxquestions.org/questi...4-bits-925087/). Maybe you can check it out for more details.

I am not on a standard hosting / datacenter company. We own our servers and manage them (but I am not the one that manages these servers ). As a result, we can install a Gnome desktop with LibreOffice and even Wine in a dedicated or virtual machine and that won't be any problem. The problem is the security of the server. We don't like to be disturbed in any kind of attacks or problems, as usual. We always install minimal programs to the servers. For example, if we don't use GD library, we don't install it. Probably this is the best security measure.

Your opinions are valueable to me, because I have never used a server with X installed. Of course, I have used X-enabled desktop distros for years. I don't know what problems we can face after installing X on a sever. As far as I understand from your posts, installing X will cause a lot of problems in case of security and management.

Thanks for your posts, I will consider your opinions and change the coding, if possible.
 
Old 01-24-2012, 03:45 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by Cyrolancer View Post
I have asked several questions about my project and Nominal Animal has answered most of the questions I have. (..). Maybe you can check it out for more details.
I actually have been reading your previous threads before replying.


Quote:
Originally Posted by Cyrolancer View Post
we can install (..) in a dedicated or virtual machine and that won't be any problem. The problem is the security of the server.
Good choice. While running a virtual machine does not automagically mean any problems in running it don't affect the virtualization host, careful configuration will easily shield the virtual machine from anything on the host and the network.


Quote:
Originally Posted by Cyrolancer View Post
I have used X-enabled desktop distros for years. I don't know what problems we can face after installing X on a sever. As far as I understand from your posts, installing X will cause a lot of problems in case of security and management.
No, while avoiding installation and running anything on a headless server that is not crucial is a best practice security and maintenance-wise, let's not exaggerate things. If 0) your virtualization host is properly hardened and does not allow unauthorized users access to the system (I mean shell, not network connections) and 1) the virtual machine you run X in is properly hardened and does not allow network access except localhost or private subnet only and if 2) your X server inside the virtual machine doesn't allow network connections and can only accessed by authorized users then you've done much to prevent problems. If you test network / account / Xorg setup, both from remote and virtualization host, using say OpenVAS (or Nessus but not nmap!) then you know for certain.
 
Old 01-24-2012, 03:54 PM   #6
Cyrolancer
Member
 
Registered: Jan 2012
Distribution: Debian
Posts: 52

Original Poster
Rep: Reputation: Disabled
Thank you unSpawn. I will consider your opinions and suggestions. However, me and my colleagues need to agree on joint topics and if not we can change to another option.

I will write the final decision we make on this topic
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to connect MS SQL server 2008 Remote Server through SQUID proxy server samank75 Linux - Server 5 01-19-2012 09:19 PM
Server configuration for small office server, which smtp, pop imap server and backup whitelinux Linux - Server 4 04-06-2010 11:26 AM
How to monitor web server, FTP server, Mail server and database server vodka33us Programming 1 06-16-2008 04:20 AM
can we configure a Linux server with mail server,file server and web server kumarx Linux - Newbie 5 09-09-2004 06:21 AM


All times are GMT -5. The time now is 09:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration