How to get X to work with Jailkit? (Xlib connection refused)
Hi.
From the Jailkit website: Quote:
Then gave him X utilities, Slim login manager and Fluxbox. I'm trying to run X from the user chroot. Solved some issues but right now I'm stuck with this problem: Code:
bash-3.2$ startx Code:
bash-3.2$ hostname The file .xinitrc has: Code:
exec startfluxbox Code:
AUDIT: Tue Mar 25 17:13:02 2008: 28601 X: client 3 rejected from IP 127.0.0.1 |
Code:
AUDIT: Tue Mar 25 17:13:02 2008: 28601 X: client 3 rejected from IP 127.0.0.1 What I dropped by for is to say that a jail might give you some form of protection (if you heed the usual warnings about making stuff availabe inside a chroot or jail) but that allowing an untrusted user to run X11 defeats that. Thats because of the way X11 needs write access to /dev/kmem and /dev/mem. If you want a fat, juicy example see the docs for or about the "SuckIT" rootkit for details. |
Hi unSpawn.
I'm running an hardened kernel and I will soon configure grsecurity. Hopefully I will get some protection against those kind of threats. Some info about hardened and X: The user is an untrusted user but still I think putting him inside a chroot is better than nothing. I will explore deeper mcookie, xauth e xhost (xhost, is this secure?) I'm still somewhat confused. The main system starts and launches the Slim login manager. Then I want the jailed user to login at that screen. But I'm getting "Failed to execute login command". When i do startx from inside the chroot i get "no screens found". If the only user using a WM is the jailed user who should launch X? Thanks. |
Long time ago I used GRSecurity and I had to mangle stuff to allow me writing to /dev/k?mem. If you look at the RBAC rules there's some for X11 but basically it sets read/write, IIRC. Might want to enabe full logging for that user and have the logwatcher react to anything odd. Wrt to your warnings most of it will be solvable when you realise which components are used, how they connect to eachother (after all X11 follows the server client paradigm) and look at the logs (and how to enable verbose or debug logging if not enough nfo).
|
Info to troubleshoot error msg: link
_ |
All times are GMT -5. The time now is 04:40 PM. |