LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   How to get X to work with Jailkit? (Xlib connection refused) (https://www.linuxquestions.org/questions/linux-software-2/how-to-get-x-to-work-with-jailkit-xlib-connection-refused-630543/)

noisebleed 03-25-2008 12:21 PM
How to get X to work with Jailkit? (Xlib connection refused)
 
Hi.

From the Jailkit website:
Quote:
Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands.
I've installed Jailkit-2.0 (from portage) and configured it for the user test. This user has a bash shell and I can login with no problems.

Then gave him X utilities, Slim login manager and Fluxbox.

I'm trying to run X from the user chroot. Solved some issues but right now I'm stuck with this problem:
Code:
bash-3.2$ startx
hostname: Unknown host
xauth:  creating new authority file /home/teste/.serverauth.28958


Fatal server error:
Cannot move old log file ("/var/log/Xorg.0.log" to "/var/log/Xorg.0.log.old"

Xlib: connection to ":0.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key
giving up.
xinit:  unable to connect to X server
xinit:  No such process (errno 3):  Server error.
Runnig hostname gives:
Code:
bash-3.2$ hostname
noisebleed
I have a .Xauthority in the user home.

The file .xinitrc has:
Code:
exec startfluxbox
Each time I try to connect this message appears on /var/log/slim:
Code:
AUDIT: Tue Mar 25 17:13:02 2008: 28601 X: client 3 rejected from IP 127.0.0.1
  Auth name: MIT-MAGIC-COOKIE-1 ID: -1
I would greatly appreciate some enlightenment on this issues. Thanks.

unSpawn 03-25-2008 06:48 PM
Code:
AUDIT: Tue Mar 25 17:13:02 2008: 28601 X: client 3 rejected from IP 127.0.0.1
  Auth name: MIT-MAGIC-COOKIE-1 ID: -1
If hints are enough for you then the man pages for (mcookie) xauth and xhost should do the trick.

What I dropped by for is to say that a jail might give you some form of protection (if you heed the usual warnings about making stuff availabe inside a chroot or jail) but that allowing an untrusted user to run X11 defeats that. Thats because of the way X11 needs write access to /dev/kmem and /dev/mem. If you want a fat, juicy example see the docs for or about the "SuckIT" rootkit for details.

noisebleed 03-26-2008 07:12 AM
Hi unSpawn.

I'm running an hardened kernel and I will soon configure grsecurity. Hopefully I will get some protection against those kind of threats.

Some info about hardened and X:
The user is an untrusted user but still I think putting him inside a chroot is better than nothing.

I will explore deeper mcookie, xauth e xhost (xhost, is this secure?)


I'm still somewhat confused. The main system starts and launches the Slim login manager. Then I want the jailed user to login at that screen. But I'm getting "Failed to execute login command". When i do startx from inside the chroot i get "no screens found".

If the only user using a WM is the jailed user who should launch X?

Thanks.

unSpawn 03-26-2008 08:13 AM
Long time ago I used GRSecurity and I had to mangle stuff to allow me writing to /dev/k?mem. If you look at the RBAC rules there's some for X11 but basically it sets read/write, IIRC. Might want to enabe full logging for that user and have the logwatcher react to anything odd. Wrt to your warnings most of it will be solvable when you realise which components are used, how they connect to eachother (after all X11 follows the server client paradigm) and look at the logs (and how to enable verbose or debug logging if not enough nfo).

internetSurfer 03-26-2008 09:30 AM
Info to troubleshoot error msg: link
_


All times are GMT -5. The time now is 04:40 PM.