LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 03-25-2008, 01:21 PM   #1
noisebleed
Member
 
Registered: Feb 2007
Location: Porto, Portugal
Distribution: Gentoo
Posts: 41

Rep: Reputation: 15
How to get X to work with Jailkit? (Xlib connection refused)


Hi.

From the Jailkit website:
Quote:
Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands.
I've installed Jailkit-2.0 (from portage) and configured it for the user test. This user has a bash shell and I can login with no problems.

Then gave him X utilities, Slim login manager and Fluxbox.

I'm trying to run X from the user chroot. Solved some issues but right now I'm stuck with this problem:
Code:
bash-3.2$ startx
hostname: Unknown host
xauth:  creating new authority file /home/teste/.serverauth.28958


Fatal server error:
Cannot move old log file ("/var/log/Xorg.0.log" to "/var/log/Xorg.0.log.old"

Xlib: connection to ":0.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key
giving up.
xinit:  unable to connect to X server
xinit:  No such process (errno 3):  Server error.
Runnig hostname gives:
Code:
bash-3.2$ hostname
noisebleed
I have a .Xauthority in the user home.

The file .xinitrc has:
Code:
exec startfluxbox
Each time I try to connect this message appears on /var/log/slim:
Code:
AUDIT: Tue Mar 25 17:13:02 2008: 28601 X: client 3 rejected from IP 127.0.0.1
  Auth name: MIT-MAGIC-COOKIE-1 ID: -1
I would greatly appreciate some enlightenment on this issues. Thanks.
 
Old 03-25-2008, 07:48 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Code:
AUDIT: Tue Mar 25 17:13:02 2008: 28601 X: client 3 rejected from IP 127.0.0.1
  Auth name: MIT-MAGIC-COOKIE-1 ID: -1
If hints are enough for you then the man pages for (mcookie) xauth and xhost should do the trick.

What I dropped by for is to say that a jail might give you some form of protection (if you heed the usual warnings about making stuff availabe inside a chroot or jail) but that allowing an untrusted user to run X11 defeats that. Thats because of the way X11 needs write access to /dev/kmem and /dev/mem. If you want a fat, juicy example see the docs for or about the "SuckIT" rootkit for details.
 
Old 03-26-2008, 08:12 AM   #3
noisebleed
Member
 
Registered: Feb 2007
Location: Porto, Portugal
Distribution: Gentoo
Posts: 41

Original Poster
Rep: Reputation: 15
Hi unSpawn.

I'm running an hardened kernel and I will soon configure grsecurity. Hopefully I will get some protection against those kind of threats.

Some info about hardened and X:
The user is an untrusted user but still I think putting him inside a chroot is better than nothing.

I will explore deeper mcookie, xauth e xhost (xhost, is this secure?)


I'm still somewhat confused. The main system starts and launches the Slim login manager. Then I want the jailed user to login at that screen. But I'm getting "Failed to execute login command". When i do startx from inside the chroot i get "no screens found".

If the only user using a WM is the jailed user who should launch X?

Thanks.
 
Old 03-26-2008, 09:13 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Long time ago I used GRSecurity and I had to mangle stuff to allow me writing to /dev/k?mem. If you look at the RBAC rules there's some for X11 but basically it sets read/write, IIRC. Might want to enabe full logging for that user and have the logwatcher react to anything odd. Wrt to your warnings most of it will be solvable when you realise which components are used, how they connect to eachother (after all X11 follows the server client paradigm) and look at the logs (and how to enable verbose or debug logging if not enough nfo).
 
Old 03-26-2008, 10:30 AM   #5
internetSurfer
Member
 
Registered: Jan 2008
Location: w3c
Distribution: Slackware 12 Zenwalk 5.2
Posts: 71

Rep: Reputation: 16
Info to troubleshoot error msg: link
_

Last edited by internetSurfer; 03-26-2008 at 10:37 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Xlib: connection to ":0.0" refused by server Xlib: No protocol specified eyalkz Linux - Newbie 12 11-27-2018 02:30 PM
Xlib: connection to ":0.0" refused by server Xlib: No protocol specified rajnivanza Linux - Software 1 03-13-2008 02:16 PM
Xlib : connection to `0:0` refused by server M_C Linux - Server 5 11-14-2007 12:51 PM
Xlib: connection to ":0.0" refused by server Xlib: No protocol specified eyalkz Programming 1 03-02-2004 09:22 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration