Firewall Wizards mailing list archives
Re: X11 forwarding
From: Brian Hatch <firewall-wizards () ifokr org>
Date: Fri, 23 Aug 2002 16:50:49 -0700
How much of a security problem is X11 forwarding? I see CERT recommends using a version that allows this to be turned off, but doesn't specifically recommend that X11 forwarding be disabled.
Say you connect from your machine running X11 with: jdoe@home$ ssh -X remote_server remote_server password: jdoe@remote_server$ Then you can display X11 apps on your home machine that start on the remote server: jdoe@remote_server$ echo $DISPLAY :10.0 jdoe@remote_server$ xclock (display appears on your desktop) By setting the correct enviroment variables, root can do this too: root@remote_server# export HOME=/home/jdoe root@remote_server# export DISPLAY=:10.0 (replace with correct display number) root@remote_server# xclock (display appears on your desktop) The problem is that X11 gives much more access than just popping windows on your screen, such as snagging every event (mouse click, keypress, etc) on your X11 desotkop. If you don't trust root on remote_server, then you shouldn't allow X11 forwarding to it. root@remote_server# xwd -root > jdoe.screenshot.xwd root@remote_server# xkey (whatever user types appears here...) -- Brian Hatch I admire your bad Systems and qualities and I Security Engineer wouldn't have you www.buildinglinuxvpns.net part with a single one Every message PGP signed
Attachment:
_bin
Description:
Current thread:
- New Script Kiddie tool ? Peter Robinson (Aug 22)
- RE: New Script Kiddie tool ? Kendall Risselada (Aug 23)
- Re: New Script Kiddie tool ? H. Morrow Long (Aug 23)
- Re: New Script Kiddie tool ? Jim MacLeod (Aug 23)
- X11 forwarding hermit921 (Aug 23)
- Re: X11 forwarding David Lang (Aug 23)
- Re: X11 forwarding Brian Hatch (Aug 23)
- Re: X11 forwarding Kevin Steves (Aug 26)
- Re: X11 forwarding Pierre Blanchet (Aug 27)
- Re: X11 forwarding Kevin Steves (Aug 27)