From owner-freebsd-security Wed Mar 21 11:53:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 7C76137B730 for ; Wed, 21 Mar 2001 11:53:22 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id LAA17828; Wed, 21 Mar 2001 11:52:44 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda17826; Wed Mar 21 11:52:29 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f2LJqOK41572; Wed, 21 Mar 2001 11:52:24 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdx41558; Wed Mar 21 11:52:10 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f2LJqAi08753; Wed, 21 Mar 2001 11:52:10 -0800 (PST) Message-Id: <200103211952.f2LJqAi08753@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdOh8742; Wed Mar 21 11:51:27 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: David Pick Cc: security@FreeBSD.ORG Subject: Re: Disabling xhost(1) Access Control In-reply-to: Your message of "Wed, 21 Mar 2001 17:54:57 GMT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 21 Mar 2001 11:51:27 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , David Pick writes: > > > I also think about disabling xhost and wonder which solution have you > > chosen -- modifying Xserver source offered later in the thread? Actually, > > "-nolisten tcp" is a nice idea, but I would like X to run from the server > > on all "Xterminals", and of course "X -query" fails that way... > > I actually run two copies of "xdm": one (with "-nolisten tcp") for the > local display which also has the XDMCP port set to zero to disable > remore X displays using XDMCP; and the other copy of "xdm" with no > X servers at all, just listening for XDMCP on port 177. > > Makes it much easier to control the availability of XMDCP without > editing files as such. I use this on a laptop which wants just the > local display in most connections, but I want to allow the use of > an X terminal when I'm at home with a trusted desktop and 17" monitor. I use a locally modified version of Xforward (ftp://crl.dec.com:/pub/DEC /xforward.tar.Z). Xforward is designed to proxy X sessions through a firewall. Before proxying a session (allowing the connection), it will pop up a window asking whether the connection should be allowed. I can click on "Yes" or "No" to allow/disallow the connection. I then block all access to my X server's port (6000) using IP Filter or IPFW, only allowing Xforward running on my desktop to talk to port 6000. The drawback to Xforward is that it does not support MIT cookies or any other authentication mechanism, so xhost must be done. This is a problem on multi-user systems, however personal desktop systems, e.g. my workstation, where I am the only user using (or allowed to use) the system, this is not a problem, as the firewall will protect the perimeter. This breaks the concept of security through depth, however when running remote X clients, this is probably the lesser of the two evils. Xroute, another X proxy, can be manipulated to do the same. I'm not sure where I got Xroute from. Creation of Xforward and Xroute ports for the ports collection are in my queue of things to get done, so you should see them shortly (after I've completed the Tripwire 2.3.1 port). Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message