Date: Mon, 29 Aug 2016 10:51:06 +0200 From: Jan Bramkamp <crest@rlwinm.de> To: freebsd-x11@freebsd.org Subject: Re: making X secure? Message-ID: <e9faebc3-8e41-f3ce-83b2-2efd58e41e54@rlwinm.de> In-Reply-To: <57C2D94D.7040906@yahoo.com> References: <57C2D94D.7040906@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 28/08/16 14:30, Jules Gilbert via freebsd-x11 wrote: > Is this possible?, can X be made secure?? > > I need X for the Mozilla application family. Are those weak from a > security perspective? > > At the moment I'm doing other stuff and (this may be a foolish > thought...,) would accept a quick fix. Probably a really bad idea, I > know. But someone who's apparently good at this has hacked several > releases of FreeBSD and OpenBSD. About OpenBSD, as soon as one adds > (for me, necessary,) applications, it's not as advertised. > > Okay, one more time. Can X be made secure? X.org has an enormous attack surface and compromising the X11 server can allow you to capture all user input (including passwords). You can run a nested X11 server to reduce the attack surface and gain some defense in depth. You can also run Firefox and/or Thunderbird in a jail. The next step would probably be shipping audit records to a remote system with auditdistd. You can further lock down the jail with MAC modules if you like to play a few rounds of whack a mole with your applications.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e9faebc3-8e41-f3ce-83b2-2efd58e41e54>