How to disable X security permanently
 

One can run 'xhost +' command to dissable the security of X server. Is it possible to turn of this security permanently in e.g. a configuration file so that one does not have to run this command again and again.

Thanks,

Danish

If you really must do this (and anyone here will tell you what a bad idea it is, so I'd really question why you feel this is the right solution), just put the command xhost + in your startup file (e.g. ~/.profile or ~/.bash_profile.

There is a file that determines who can connect:
http://www.cygwin.com/ml/cygwin-xfre.../msg00198.html

You have to be kidding. So many exploits are possible with a machine that has xhost +, it's incredible that any sane person still wants to do this. Why in the world would you use +? Just use the specific hosts you want to allow.

You're begging to get rooted.

Yeah but what if he is at home behind a firewall without 6000 open. I do that now. Not saying I would suggest firing up 6000 to listen then plug into the cable modem for the world to see. But if you are safe and secure on your home network, eh, why not. Then again I tend to be lazy like that at home.

As for my work laptop, only xhost + when I need to access a machine for remote X session. Add only that machine as trusted and turn it back off when I am done. God knows what my creepy co-workers would do. Delete my pr0n folder probably....bastards!

The "security" of being behind a firewall is largely a myth. It only takes one tiny flaw for someone to get through a firewall, then it's off to the races. If a Windows box on your LAN gets compromised & backdoored, then they use that to jump to your Linux box via a vulnerable X setup, etc--the possibilities are endless. Not to mention that a tiny flaw on the Linux box, such as an underprivileged account with default passwords, could be leveraged to export an X session, blah blah blah. The point is there are tons of ways of exploiting boxen that are behind firewalls (even firewalls themselves have flaws, look at Blackice).

You shouldn't be lazy & careless with security just because you're "protected" by a firewall. Always treat every box like it's connected to the Internet directly, because the reality isn't far from that... And finally the obligitory warning that over 80% of compromises come from internal sources, not directly from the Internet.

Oh, and a last point (although it should have been my first point) is that you should always reinforce security computing habits, rather than falling into bad computing habits. If you're used to doing xhost + on a home machine that you think is safe, or you don't care about, chances are after repeating that dozens or hundreds of times, you'll forget that one time when you log into a production UNIX-like system that has X installed and you'll xhost + it. Next thing you know, corporate security is wondering why the hell your account was compromised and the UNIX server got hijacked...

Hello,

The option you may want to use is the following:
X -ac -dpi 100 ...
ac option is to disable control access. But be careful, cause Chort and other are true: That's really dangerous to do that

Oliv'

if he likes danger and you are willing to show him let him do, swear and cry if something happen later :cry: :mad:

Hi Experts,

Thanks for the replies. Yes, I understand that this is very stupid thing to do. However, this is the only solutuion Oracle says for our problem. So just for reassurance, this server will be an internal application server and somebody being capable enough to hack it internally is extremely remote.

Now to the other problem. This server would simply be switched on and no one would actually log on to it. So will it really work if I put it in .profile? Also the xhost + command requires the X server to be running, does the .profile script get executed after the X server starts?

Thanks again

If no-one is logging into it, what mechanism are you using to display X sessions?

chort,

Can I ask for some clarification on a couple of points you mention?

OK, a firewall isn't 100% protection but neither is it 0% protection. Would would be really useful to know is how much protection it reall does give. For example, how much less likely are you to be hacked if you have a firewall vs. if you don't? I know that the expert cracker can get round many firewalls, but most crackers aren't experts and it may not make sense to spend a lot of extra time and effort raising the bar high enough to see off those top-notch crackers if the reality is that there is only a very small risk of becoming a victim to one.


I hear this sort of figure around a lot; I've been looking for a source for it but can't find one. Do you know what research it comes from?

Presumably if you have a small home or office network, the figure is always going to be much lower than 80%; if you are in a large corporate network it might be that high; but given the lack of real statistics about hacking, I'm suspicious about whether this is a genuine figure.

Well a firewall is only as good as the ports that it's blocking, and then that is only as good as the actual strength of the firewall code. There are many tricks that can allow an attacker to get through a firewall, even if the port is "blocked", this is especially of concern on low-end boxes, like the SoHo routers that Linksys (now Cisco), D-Link, etc make, but it's also possible on "industrial strength" firewals like Checkpoint FW-1 and Cisco PIX.

Going back to the first point, usually you allow some types of traffic to come through the firewall (HTTP, SMTP, etc) so those protocols are allowed through with little (in the case of PIX, Netscreen, FW-1, etc) or no (in the case of all SoHo boxes) inspection of the data. That means that if something comes through port 80/TCP (HTTP) it's just allowed. If you have an insecure PHP script on your web server, you're going down whether you have a firewall or not.

Even if 100% of inbound traffic is blocked, end-users can still "pwn" their own systems be executing malicious code that shows up in their e-mail (that they fetch), or on a website (that they fetch). Those are outbound connections, not inbound, but they can still own a box just the same. Once a box behind the firewall has been owned, you might as well not have a firewall. Attackers can use revserse backdoors that open up control connections back to their masters' (outbound connections) so no inbound is required (firewall doesn't do any good).

As for the point about insiders, I don't recall any specific research groups off the top of my head... One of them may have been the Yankee Group, but don't quote me on that. I know I've seen it from multiple analysts and researchers (usually it's in paid-for whitepapers that they sell to clients). Even in the case of SoHos, most compromises are still initiated from the inside, although not usually on purpose (mostly by accidental or ignorant exectuation of malicious code that they received).

I don't disagree with that. My question is really what the effect is in reality. Sure an attacker can get through a Linksys router/firewall, but does it happen very often? How many home users with reasonable firewalls get successfully hacked compared to those without firewalls?

To put it another way, if I'm a home owner trying to stop thieves breaking in, I know that whatever I do, a really determined thief is always going to get in if they have knowledge, time and resources. I hope I don't get targetted by one of those. For the rest, how far do I go? Leave my door open and be neighbourly? Put on a basic yale lock? Deadlocks on the door and locks on all the windows? Alarm connected to the local police station? Panic room?

There is a risk that I might need all of these; but rationally I don't go out and do it. I make a judgement as to what I'll need based on how much money I've got, how much I'm willing to be inconvenienced by my own security, what crime is like in my neighbourhood and how many valuables I'm protecting.

In the Internet world, I don't have the information to make that judgement. Maybe it's out there; but I'm pretty much flying blind and for this judgement about how much security is appropriate, it might well be that a simple firewall is the best way to go for many people.

I wonder if this is one of those myths like people only using 10% of their brains. I guess if you include people making a mistake as a security breach then it pretty much goes without saying that you'll have more from insiders - maybe that's it.

well to answer iainr's question. The exact problem is such.

For some stupid reason, oracle's report server needs the 'xhost +' command to be executed before it can succesfully generate reports in pdf format. Reports that have their output in text format do not have a problem.

Now consider that we only run text reports. We simply switch on the server and we leave it. It boots up into KDE's login screen and stays that way. So even though no one logs in, the text report runs.

I would like it to be the same way for .pdf reports too

Now I really appreciate all the disscussions about security and firewall, it is extremely informative. But In my case, security is least of the issues. We are on an isolated, trust worthy network with majority of windows users who don't even know what the hell is X windows or Ports. The only ones who do know all this stuff are the ones who own the system.

I swear I will never use the 'xhost +' command ever again if one of you could please give me a viable solution. Thanks a lot

Hi danishmr,

I agree - you just need a solution. I actually have no idea at all how Oracle is connecting to do this. Presumably the report server connects over a specific port to the Linux server. I think the solution here is as likely to be Oracle related as Linux related, from what you've said. Have you asked Oracle (or posted on an Oracle newsgroup/board) ?