X-server on a LAMP stack
 

Hello LQ people,

I want to ask a question on X-server. I am planning to install it on a LAMP stack. I need it for a script that I am planning to use for HTML -> JPG conversion.

The thing I want to learn is, how x-server can cause problems or security issues or any other things that I cannot think at the moment, on a LAMP stack.

Thanks in advance.

Best check the CVE list: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Xorg. X11 / Xorg runs as root and has been known for years to be a problem child due to the way it needs privileged access to system memory. Any client allowed to connect to the X server may cause all kinds of Interesting Things in a vulnerable version ranging from memory and data corruption to privilege escalation to outright executing commands as root. You should disable network access with "-nolisten tcp" (use VNC over SSH instead if you need to remotely access it), never run with "-ac", if yours can run with "-auth" then use it, ensure only authorized users have system access and use xhost and xauth. In some cases an exploit can be made harder by for instance disabling extensions you might not need. Apart from security issues a headless server shouldn't have a X server installed, a running X server will hog system resources and simply put more installed packages may mean more maintenance.

Hi,

If I were you I rather not spend any time on this "project" because at the end you wont use the X.
VPS supplier companies are not even install X by default and no any way to get it either. Datacenter's costumers with a real server don't use it either.

Basically you can manage the server from terminal 100%. So the X just uses lots of resource and makes the system more vulnerable. That means when you need to trace any problems on your server that will become more complex because of the X window threads.

However you can use X of course if you need for some reason but I'd say try to not to use it.
I know it sounds strange and "terrible" just to use the terminal but you can get rid of many problems on a server without the X. :)

Hello unSpawn and okcomputer44. Thank you for your assistance about this topic.

I have asked several questions about my project and Nominal Animal has answered most of the questions I have. (http://www.linuxquestions.org/questi...4-bits-925087/). Maybe you can check it out for more details.

I am not on a standard hosting / datacenter company. We own our servers and manage them (but I am not the one that manages these servers :)). As a result, we can install a Gnome desktop with LibreOffice and even Wine in a dedicated or virtual machine and that won't be any problem. The problem is the security of the server. We don't like to be disturbed in any kind of attacks or problems, as usual. We always install minimal programs to the servers. For example, if we don't use GD library, we don't install it. Probably this is the best security measure.

Your opinions are valueable to me, because I have never used a server with X installed. Of course, I have used X-enabled desktop distros for years. I don't know what problems we can face after installing X on a sever. As far as I understand from your posts, installing X will cause a lot of problems in case of security and management.

Thanks for your posts, I will consider your opinions and change the coding, if possible.

I actually have been reading your previous threads before replying.


Good choice. While running a virtual machine does not automagically mean any problems in running it don't affect the virtualization host, careful configuration will easily shield the virtual machine from anything on the host and the network.


No, while avoiding installation and running anything on a headless server that is not crucial is a best practice security and maintenance-wise, let's not exaggerate things. If 0) your virtualization host is properly hardened and does not allow unauthorized users access to the system (I mean shell, not network connections) and 1) the virtual machine you run X in is properly hardened and does not allow network access except localhost or private subnet only and if 2) your X server inside the virtual machine doesn't allow network connections and can only accessed by authorized users then you've done much to prevent problems. If you test network / account / Xorg setup, both from remote and virtualization host, using say OpenVAS (or Nessus but not nmap!) then you know for certain.

Thank you unSpawn. I will consider your opinions and suggestions. However, me and my colleagues need to agree on joint topics and if not we can change to another option.

I will write the final decision we make on this topic :)