Securing Xvfb on a multi-user system
billy_wilson at byu.edu
Thu Jan 15 09:22:37 PST 2015
Thanks Glynn, these are some good options.
Is there a way to secure Xvfb during an installation from source, such
as during ./configure?
On 01/14/2015 05:09 AM, Glynn Clements wrote:
> Billy Wilson wrote:
>> I have a question about using Xvfb securely on a multi-user system. We
>> are currently using xorg-x11-server-Xvfb-1.10.4-6.el6.x86_64. Our main
>> reason for using Xvfb is to accommodate one of our users, whose
>> scientific computing software requires an X server for some reason.
>> My concern is that if the non-privileged user runs the following: `Xvfb
>> :1 -screen 0 800x600x24+1`
>> Any user on the system is able to export DISPLAY=:1 and run programs
>> that connect to his dummy X server. I'm aware of auth file and xhost
>> mechanisms for access control, but I was wondering how I can have Xvfb
>> restrict connections strictly to the user, by default.
>> In other words: How can I prevent an uninformed user from using the Xvfb
>> defaults and opening X to the world?
> One option is to rename Xvfb and replace it with a script which starts
> Xvfb proper with the appropriate arguments.
> Another would be to replace Xvfb with Xvnc, started from the display
> manager. This will require the user to log in interactively, as with
> any other X server.
More information about the xorg