Securing Xvfb on a multi-user system

Glynn Clements glynn at gclements.plus.com
Wed Jan 14 04:09:10 PST 2015


Billy Wilson wrote:

> I have a question about using Xvfb securely on a multi-user system. We 
> are currently using xorg-x11-server-Xvfb-1.10.4-6.el6.x86_64. Our main 
> reason for using Xvfb is to accommodate one of our users, whose 
> scientific computing software requires an X server for some reason.
> 
> My concern is that if the non-privileged user runs the following: `Xvfb 
> :1 -screen 0 800x600x24+1`
> 
> Any user on the system is able to export DISPLAY=:1 and run programs 
> that connect to his dummy X server. I'm aware of auth file and xhost 
> mechanisms for access control, but I was wondering how I can have Xvfb 
> restrict connections strictly to the user, by default.
> 
> In other words: How can I prevent an uninformed user from using the Xvfb 
> defaults and opening X to the world?

One option is to rename Xvfb and replace it with a script which starts
Xvfb proper with the appropriate arguments.

Another would be to replace Xvfb with Xvnc, started from the display
manager. This will require the user to log in interactively, as with
any other X server.

-- 
Glynn Clements <glynn at gclements.plus.com>


More information about the xorg mailing list