Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Slackware This Forum is for the discussion of Slackware Linux.


  Search this Thread
Old 06-10-2010, 10:41 PM   #1
Registered: May 2010
Location: Stumptown
Distribution: Slackware 14.0/32bit + Xmonad
Posts: 352

Rep: Reputation: 130Reputation: 130
Securing X

I wondered to myself....

"Self, WTF good is the oh, so bitchin' xscreensaver SCREEN LOCK if any idiot could come along and make my X go POOF with a simple ctl+alt+BackSpace???" ...they would get dropped into my shell. You know, the shell where I started X? BAM Full Access.

How I solved this was I decided to make X start right up by changing /etc/inittab line "id:3:initdefault:" to say "id:4:initdefault:". Now if X is killed there is no open, vulnerable, naked little login-shell waiting to get sploited! =-)

Also, I found (like most astute slackware newbs) that when X starts, it listens on port 6000 for connections (XDMCP or whatever). This really bugged me, since I never plan on using this awesome feature.
So I edited /etc/X11/xdm/Xservers (I excluded KDE from my 13.1 install).
and changed this line
:0 local /usr/bin/X :0
to this
:0 local /usr/bin/X -nolisten tcp :0
restarted X, and Bob's my Uncle!
Old 06-10-2010, 10:57 PM   #2
Registered: Feb 2009
Distribution: FreeBSD, OpenBSD, NetBSD, Debian, Fedora
Posts: 770
Blog Entries: 52

Rep: Reputation: 68
I thought the nolisten flag was standard for X and had to be changed to allow remote connections. I set X11 forwarding on ssh with a value of >/= +100: Port6000 for local connections, limit the users. Port6100 or greater for remote. Limit the users.

Isn't it also possible to change the key combination?
Old 06-11-2010, 05:25 AM   #3
Senior Member
Registered: May 2008
Posts: 3,951
Blog Entries: 1

Rep: Reputation: 1359Reputation: 1359Reputation: 1359Reputation: 1359Reputation: 1359Reputation: 1359Reputation: 1359Reputation: 1359Reputation: 1359Reputation: 1359
Yep, this is one of those little things that needs attention after installing Slackware. KDM adds "-nolisten tcp" by default when starting the xserver, but startx and xdm don't.

As for the screenlock, ctrl-alt-backspace and virtual console switching can be disabled from xorg.conf, or rather you used to be able to: I think you have to do it in HAL on a newer Slackware as it was changed - presumably because editing a single line in xorg.conf was way too simple and the Xorg guys needed to show how clever they could be!

You also have to be aware that alt-SysRq can be used to a similar effect, so it's not a good idea to leave an open console session on a Virtual Console as there's really no good way to secure it. screensaver/xlock only go so far.
Old 06-11-2010, 07:09 AM   #4
Mark Pettit
Registered: Dec 2008
Location: Cape Town, South Africa
Distribution: Slackware 14.1 64 Multi-Lib
Posts: 486

Rep: Reputation: 165Reputation: 165
I think it's worth mentioning that unless you have encrypted your disks (root,home etc), very few machines are secure when someone has physical access to them. Merely placing a live-distro CD in the tray and powering off and on will give you full access to everything not encrypted. A good firewall that closes all port other than SSH (22) would also prevent over-the-network attacks on X.
Old 06-11-2010, 07:25 AM   #5
Registered: Feb 2009
Distribution: FreeBSD, OpenBSD, NetBSD, Debian, Fedora
Posts: 770
Blog Entries: 52

Rep: Reputation: 68
It's not a good idea to use the standard port 22 for ssh.
Also X won't start on any other tty unless you specify such.
startx -- :1,2,etc
will get an Xsession.
Xdm will only give another Xsession only if it is specified.
If the distribution or OS you are using allows other Xsessions without specifying such, then it's time to drop it.
Old 06-11-2010, 10:34 AM   #6
Senior Member
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 4,273

Rep: Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242Reputation: 1242
I just want to point out that in default Slackware listening for XDMCP requests is disabled in /etc/X11/xdm/xdm-config
! SECURITY: do not listen for XDMCP or Chooser requests
! Comment out this line if you want to manage X terminals with xdm
DisplayManager.requestPort: 0
Alien_Bob has a blog post on what is required to enable XDMCP on Slackware.
Old 06-11-2010, 10:47 AM   #7
Senior Member
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 3,239

Rep: Reputation: 1423Reputation: 1423Reputation: 1423Reputation: 1423Reputation: 1423Reputation: 1423Reputation: 1423Reputation: 1423Reputation: 1423Reputation: 1423
I usually boot in init 3 on my work desktop and to be sure nobody does nasty things on my shell, I launch X with
exec startx
from exec man page
The exec() family of functions replaces the current process image with a new process image.
so it launches X closing the login bash.
this way, when I exit/zap X (if I switch to console, ctrl-Z doesn't work because I'm no more in bash) I'm at the login prompt

obviously someone can open my pc and remove the hard disk, but my home is crypted and nobody can see what I'm doing if the screen is locked.

O.T.: using compcache adds extra privacy, because your swap is in ram and gets cleaned at reboot: you can't imagine how many interesting things can be found if you run strings on swap

Last edited by ponce; 06-11-2010 at 10:59 AM.
1 members found this post helpful.


slack13, xorg

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Securing a VPS stephen_wq Linux - Server 10 03-30-2009 07:31 AM
Securing CGI Ar0n Programming 0 12-05-2005 10:03 AM
Securing A directory? Spreegem Debian 3 04-04-2005 09:49 PM
Securing Server brentos Linux - Security 4 06-08-2004 10:57 AM
Securing Passwd Obie Linux - Security 5 05-31-2004 06:36 PM

All times are GMT -5. The time now is 05:18 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration