[ubuntu-hardened] Securing access to the X Server.
Marc Deslauriers
marc.deslauriers at canonical.com
Thu Oct 20 09:54:17 UTC 2016
Hi,
On 2016-10-20 11:41 AM, daniel curtis wrote:
>
> Hello
>
> I hope that it's a good place to ask a question about securing X Server. As we
> know, if someone do not need X access - for example - from other machine etc.,
> such user can block port # 6000 (TCP) using iptables(8) or by switching off this
> port via '-nolisten tcp' option [1].
By default, Ubuntu is configured with -nolisten tcp by default. It is already
set in /etc/X11/xinit/xserverrc.
>
> But, if it is about securing access to the X Window; can I use
> /etc/X11/app-defaults/XScreenSaver file? Why I'm asking? I would like to edit
> this file and make a small change:
>
> *lock: False
>
> And use 'True' instead, so:
>
> *lock: True
>
Ubuntu 12.04 uses gnome-screensaver by default, not XScreenSaver. Turning on
XScreenSaver will not prevent connections to X.
> One more thing: there is a server access control program for X, called xhost(1).
> A very bad step is to type, for example, '[$] xhost +' command, right? A better
> solution is '[$] xhost +hostname'. But whether the use of xhost(1), isnecessary?
> Or just leave it as is, after - let say - clean system installation?
By default, the Ubuntu 12.04 xhost is configured to only allow access from the
console, no changes necessary.
>
> What is your opinion on this? Its worth to make such a changes or switching off
> the binding on port 6000 is enough? My question concerns the 12.04 Release. If
> it matters. Please write your opinions and what do you think about that issue
> etc. Thanks. All for better security :- )
>
A default installation of Ubuntu 12.04 LTS should already be configured to
disallow remote X connections.
Marc.
More information about the ubuntu-hardened
mailing list