-   Slackware (
-   -   Securing X (

STDOUBT 06-10-2010 10:41 PM

Securing X
I wondered to myself....

"Self, WTF good is the oh, so bitchin' xscreensaver SCREEN LOCK if any idiot could come along and make my X go POOF with a simple ctl+alt+BackSpace???" ...they would get dropped into my shell. You know, the shell where I started X? BAM Full Access.

How I solved this was I decided to make X start right up by changing /etc/inittab line "id:3:initdefault:" to say "id:4:initdefault:". Now if X is killed there is no open, vulnerable, naked little login-shell waiting to get sploited! =-)

Also, I found (like most astute slackware newbs) that when X starts, it listens on port 6000 for connections (XDMCP or whatever). This really bugged me, since I never plan on using this awesome feature.
So I edited /etc/X11/xdm/Xservers (I excluded KDE from my 13.1 install).
and changed this line

:0 local /usr/bin/X :0
to this

:0 local /usr/bin/X -nolisten tcp :0
restarted X, and Bob's my Uncle!

Mr-Bisquit 06-10-2010 10:57 PM

I thought the nolisten flag was standard for X and had to be changed to allow remote connections. I set X11 forwarding on ssh with a value of >/= +100: Port6000 for local connections, limit the users. Port6100 or greater for remote. Limit the users.

Isn't it also possible to change the key combination?

GazL 06-11-2010 05:25 AM

Yep, this is one of those little things that needs attention after installing Slackware. KDM adds "-nolisten tcp" by default when starting the xserver, but startx and xdm don't.

As for the screenlock, ctrl-alt-backspace and virtual console switching can be disabled from xorg.conf, or rather you used to be able to: I think you have to do it in HAL on a newer Slackware as it was changed - presumably because editing a single line in xorg.conf was way too simple and the Xorg guys needed to show how clever they could be! :(

You also have to be aware that alt-SysRq can be used to a similar effect, so it's not a good idea to leave an open console session on a Virtual Console as there's really no good way to secure it. screensaver/xlock only go so far.

Mark Pettit 06-11-2010 07:09 AM

I think it's worth mentioning that unless you have encrypted your disks (root,home etc), very few machines are secure when someone has physical access to them. Merely placing a live-distro CD in the tray and powering off and on will give you full access to everything not encrypted. A good firewall that closes all port other than SSH (22) would also prevent over-the-network attacks on X.

Mr-Bisquit 06-11-2010 07:25 AM

It's not a good idea to use the standard port 22 for ssh.
Also X won't start on any other tty unless you specify such.

startx -- :1,2,etc
will get an Xsession.
Xdm will only give another Xsession only if it is specified.
If the distribution or OS you are using allows other Xsessions without specifying such, then it's time to drop it.

allend 06-11-2010 10:34 AM

I just want to point out that in default Slackware listening for XDMCP requests is disabled in /etc/X11/xdm/xdm-config

! SECURITY: do not listen for XDMCP or Chooser requests
! Comment out this line if you want to manage X terminals with xdm
DisplayManager.requestPort: 0
Alien_Bob has a blog post on what is required to enable XDMCP on Slackware.

ponce 06-11-2010 10:47 AM

I usually boot in init 3 on my work desktop and to be sure nobody does nasty things on my shell, I launch X with

exec startx
from exec man page

The exec() family of functions replaces the current process image with a new process image.
so it launches X closing the login bash.
this way, when I exit/zap X (if I switch to console, ctrl-Z doesn't work because I'm no more in bash) I'm at the login prompt ;)

obviously someone can open my pc and remove the hard disk, but my home is crypted and nobody can see what I'm doing if the screen is locked.

O.T.: using compcache adds extra privacy, because your swap is in ram and gets cleaned at reboot: you can't imagine how many interesting things can be found if you run strings on swap ;)

All times are GMT -5. The time now is 06:11 PM.