LinuxQuestions.org - disabling xhost & xauth

- Slackware (https://www.linuxquestions.org/questions/slackware-14/)

- - disabling xhost & xauth (https://www.linuxquestions.org/questions/slackware-14/disabling-xhost-and-xauth-338594/)

disabling xhost & xauth

How can I disable or reject any requests for xhost, xauth? From what I understand an attacker can simply login if I have an ip address. But I do not do that, I don't even use x11 forwarding, I just want to lock this down so there is no way possible anyone can use xhost or manipulate xauth?

From http://www.linuxsecurity.com/resourc...cklist.en.html :

Quote:

If you run X, disable xhost authentication and go with ssh instead; better yet, disable remote X if you can (add -nolisten tcp to the X command line and turn off XDMCP in /etc/X11/xdm/xdm-config by setting the requestPort to 0)

HTH

Code:

! $Xorg: xdm-conf.cpp,v 1.3 2000/08/17 19:54:17 cpqbld Exp $

!

!

!

!

! $XFree86: xc/programs/xdm/config/xdm-conf.cpp,v 1.10 2002/11/30 19:11:32 herrb Exp $

!

DisplayManager.errorLogFile:        /var/log/xdm.log

DisplayManager.pidFile:                /var/run/xdm.pid

DisplayManager.keyFile:                /usr/X11R6/lib/X11/xdm/xdm-keys

DisplayManager.servers:                /usr/X11R6/lib/X11/xdm/Xservers

DisplayManager.accessFile:        /usr/X11R6/lib/X11/xdm/Xaccess

DisplayManager.willing:                su nobody -c /usr/X11R6/lib/X11/xdm/Xwilling

! All displays should use authorization, but we cannot be sure

! X terminals may not be configured that way, so they will require

! individual resource settings.

DisplayManager*authorize:        true

! The following three resources set up display :0 as the console.

DisplayManager._0.setup:        /usr/X11R6/lib/X11/xdm/Xsetup_0

DisplayManager._0.startup:        /usr/X11R6/lib/X11/xdm/GiveConsole

DisplayManager._0.reset:        /usr/X11R6/lib/X11/xdm/TakeConsole

!

DisplayManager*chooser:                /usr/X11R6/lib/X11/xdm/chooser

DisplayManager*resources:        /usr/X11R6/lib/X11/xdm/Xresources

DisplayManager*session:                /usr/X11R6/lib/X11/xdm/Xsession

DisplayManager*authComplain:        true







! SECURITY: do not listen for XDMCP or Chooser requests

! Comment out this line if you want to manage X terminals with xdm

DisplayManager.requestPort:        0

Looks like it is already set to Port zero?

Yes. The documentation I quoted was for Debian, so in Slackware the config might be different.
Also have a look at /usr/X11R6/bin/startx for the other point.

Of course, you could always block incoming connections with iptables, that's what I did.