The old X problem ...still unsolved ??

sachinh · 06-30-2007, 10:57 AM

hi,

One of the security tool has generated reports for our production system which is RedHat Linux 2.1 installed on it.

The error in question is :

unrestricted X server access (No X server access control )

Now when I tried to goole on above error found the following help.

"""""Restrict access to server: An open X display allows anyone, anywhere to view your screen, capture keystrokes and even execute commands remotely. This is a serious vulnerability that is easily fixed using xhosts or xauth. The xhost program is used to add and delete host names or user names to the list allowed to make connections to the X server, providing a rudimentary form of privacy control and security sufficient for a workstation environment (e.g. xhost +user@host when granting access).""""""""""

So tried to disable the unwanted access using below command. But got this,

>>>xhost -
xhost: unable to open display ""
root@P04.com /root
>>>

But at the same time I get this when I run ,

>>>xauth list
P04.com:1 MIT-MAGIC-COOKIE-1 c04203fd1bdc2f31d7b249434ff4de3d
localhost.localdomain/unix:1 MIT-MAGIC-COOKIE-1 e448d1eb5e9ccce7a407ea55f06c0fe9
P01.com/unix:10 MIT-MAGIC-COOKIE-1 dd84bffa51d812943c1dba16ba2f54bb
P01.com/unix:1 MIT-MAGIC-COOKIE-1 c04203fd1bdc2f31d7b249434ff4de3d
P01.com/unix:0 MIT-MAGIC-COOKIE-1 e00708c7b585daea3ce89ef1f52bee89
P04.com/unix:10 MIT-MAGIC-COOKIE-1 0964d62871c1e842f60ad9307dfed6bf
>>>

And I have found that in /etc/sshd_config X11 Forwarding is set to Yes.

But it gives no output for

>>>echo $DISPLAY
>>>

Now I'm pretty confused as to whether the xhost is being used on this system? Or is it xauth or X11Forwarding ?? Or none ??
Then why is it that our Security Audit tool is complaining as ""unrestricted X server access (No X server access control )""

jhwilliams · 06-30-2007, 12:24 PM

try setting the DISPLAY variable before using xhost... I had a related problem earlier. As to why you have nothing in your display string I could not say
(would expect :0.0 or something.)

Code:

bash$ DISPLAY=`uname -n | sed s'/.yourdomainname.com//'`:0.0

also, check /etc/ssh/sshd_config if X11Forwarding is enabled.

sachinh · 06-30-2007, 01:21 PM

Yes , the X11 Forwarding is yes. So ? All I want is to get rid of the vulnerability alert that the tools producing. Is there any way out?? I guess if I can make sure that the X services are secure enough then that alert will not get generated. Any guess plzzz??

Tinkster · 06-30-2007, 03:36 PM

Actually .... when using ssh -X you needn't set DISPLAY or xhost +

As for the warning, and the inability to disable the xhost (xhost -,
xhost: unable to open display "") ... that's because you're trying
to do that on a terminal that isn't owned by the process that runs
the X server on the server. Why is X running in the first place?
BAD MOVE.

Cheers,
Tink