Securing Xvfb on a multi-user system
Roland Mainz
roland.mainz at nrubsig.org
Tue Jan 27 08:16:32 PST 2015
On Tue, Jan 13, 2015 at 11:22 PM, Billy Wilson <billy_wilson at byu.edu> wrote:
> Hi,
>
> I have a question about using Xvfb securely on a multi-user system. We are
> currently using xorg-x11-server-Xvfb-1.10.4-6.el6.x86_64. Our main reason
> for using Xvfb is to accommodate one of our users, whose scientific
> computing software requires an X server for some reason.
>
> My concern is that if the non-privileged user runs the following: `Xvfb :1
> -screen 0 800x600x24+1`
>
> Any user on the system is able to export DISPLAY=:1 and run programs that
> connect to his dummy X server. I'm aware of auth file and xhost mechanisms
> for access control, but I was wondering how I can have Xvfb restrict
> connections strictly to the user, by default.
>
> In other words: How can I prevent an uninformed user from using the Xvfb
> defaults and opening X to the world?
See Xsecurity(7) manual page... the SUN-DES-1 MIT-KERBEROS-5 and
ServerInterpreted auth (see $ xhost +si:localuser:root # example in
the man page, likely your preference if you only need Xvfb locally)
are user-to-user authentification mechanisms...
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 3992797
(;O/ \/ \O;)
More information about the xorg
mailing list