Securing Xvfb on a multi-user system
aivils at latnet.lv
Sat Jan 17 06:08:33 PST 2015
Citējot Billy Wilson <billy_wilson at byu.edu>:
> I have a question about using Xvfb securely on a multi-user system.
> We are currently using xorg-x11-server-Xvfb-1.10.4-6.el6.x86_64. Our
> main reason for using Xvfb is to accommodate one of our users, whose
> scientific computing software requires an X server for some reason.
> My concern is that if the non-privileged user runs the following:
> `Xvfb :1 -screen 0 800x600x24+1`
probably You cant start it without TCP protocol
$ Xvfb :1 -screen 0 800x600x24+1 -nolisten tcp
and after successful start restrict the socket file
$ chmod 0600 /tmp/.X11-unix/X1
> Any user on the system is able to export DISPLAY=:1 and run programs
> that connect to his dummy X server. I'm aware of auth file and xhost
> mechanisms for access control, but I was wondering how I can have
> Xvfb restrict connections strictly to the user, by default.
> In other words: How can I prevent an uninformed user from using the
> Xvfb defaults and opening X to the world?
> Billy Wilson
More information about the xorg