Securing Xvfb on a multi-user system

Billy Wilson billy_wilson at byu.edu
Thu Jan 15 09:22:37 PST 2015


Thanks Glynn, these are some good options.

Is there a way to secure Xvfb during an installation from source, such 
as during ./configure?

Thanks,
Billy Wilson

On 01/14/2015 05:09 AM, Glynn Clements wrote:
> Billy Wilson wrote:
>
>> I have a question about using Xvfb securely on a multi-user system. We
>> are currently using xorg-x11-server-Xvfb-1.10.4-6.el6.x86_64. Our main
>> reason for using Xvfb is to accommodate one of our users, whose
>> scientific computing software requires an X server for some reason.
>>
>> My concern is that if the non-privileged user runs the following: `Xvfb
>> :1 -screen 0 800x600x24+1`
>>
>> Any user on the system is able to export DISPLAY=:1 and run programs
>> that connect to his dummy X server. I'm aware of auth file and xhost
>> mechanisms for access control, but I was wondering how I can have Xvfb
>> restrict connections strictly to the user, by default.
>>
>> In other words: How can I prevent an uninformed user from using the Xvfb
>> defaults and opening X to the world?
> One option is to rename Xvfb and replace it with a script which starts
> Xvfb proper with the appropriate arguments.
>
> Another would be to replace Xvfb with Xvnc, started from the display
> manager. This will require the user to log in interactively, as with
> any other X server.
>



More information about the xorg mailing list