Security under X Windows Updated 9/13/95 The X Window System was designed to allow easy access to the display of your workstation. It is by no means a "secure" system. There are several security holes in X Windows that have been known for some time. I describe some of the changes we have made to enhance security, as well as the violations that are possible. Naturally, I will not be explaining how to actually exploit the security holes. Formerly we used the simplest access control, called "Host-Based Access Control", which is based on the program 'xhost'. Under this scheme, access is granted or denied to a particular computer. If granted, then ALL users of that computer are given access to your display. This means that it is possible for someone on a remote computer to take a snapshot of your screen at any time. They may also be able to capture keystrokes from your keyboard, such as passwords typed in during "su", telnet or rlogin. Under the worst scenario, a student might take a snapshot of the exam that is displayed on the screen of the workstation of a professor. There is no reason to believe that this has actually happened, but it is possible. We have now installed "User-Based Access Control", which is based on the program 'xauth'. This will prevent unauthorized access to your workstation's display. Consequences of using 'xauth' access control ============================================ You must not use 'xhost' in the future. We can't stop you from doing this. We will set up the network's initialization files so that xhost DENIES permission to all hosts when you login. But you will still be able to use xhost to give permission to any machine you want, whenever you want. The programming staff recommends that you do NOT do this. At the time of installation, we inspected everyone's personal .xsession file for use of 'xhost', and changed it to remove all executions of xhost. If you have brought in a .xsession file from elsewhere, please remove all xhost invocations from it to get the best security. If you presently use "su" and the "suee" needs to use X-windows services, you must use "xsu" instead (same syntax as "su"). Normally "su" is used to access a shared account such as for the PIC faculty. Avoid su-ing to an individual's account, for while xsu removes the authorization information when you exit, it is possible to circumvent the removal. Also, sharing individual accounts is strongly discouraged by the computing staff due to bad experiences with abuses in the past. If you want to start an xterm process on another machine you must use the command 'rxterm', as most people are already doing. To start other programs remotely you must use 'xrsh'. If you have a home-built remote execution command you need to ensure that it propagates the authorization information similar to what xrsh does -- or you can just use xrsh. Our xrsh has been modified so that the default security is "environment" or "xauth" depending on whether the client is on the same net as the originator. If you use a non-Mathnet machine, and it has a variant of the Berkeley UNIX operating system such as SunOS or Solaris, you can set up the .rhosts file on the remote machine so you can use rxterm. "handout X/rxterm" has a step by step procedure for this. If you can do rlogin and connect to the machine, it is almost certainly in this category. On the other hand, if the remote machine cannot do rlogin or rsh, you will need to connect to it by telnet. For each different X session (i.e. logging in to your workstation or X-terminal) the security information is different, so you must transfer the new security information to the remote machine. Here is an example of manually transferring the information from our machine Redwood to an (imaginary) remote machine called Pop: redwood.31> printenv DISPLAY dublin:0.0 redwood.32> xauth nextract - $DISPLAY 0000 0004 806104b8 0001 30 0012 4d49542d4d414749432d434f4f4b49452d31 0010 ba85e13035db76fdf29fad02b6c73f33 redwood.33> telnet pop.usc.edu (login to the machine) pop.1> echo 0000 0004 806104b8 0001 30 0012 \ ? 4d49542d4d414749432d434f4f4b49452d31 0010 ba85e13035db76fdf29fad02b6c73f33 \ ? | xauth nmerge - pop.2> setenv DISPLAY dublin.math.ucla.edu:0.0 pop.3> xterm -name pop & Note that locally the display name lacks "math.ucla.edu", but the remote machine needs the domain name appended when you setenv DISPLAY. In the echo command it is easier (though unreadable in this handout) to not use the backslashes and to put the whole command on one line. You would use the mouse to copy the information -- it would be very hard to type it in letter by letter. rxterm and xrsh automate the whole process. For more detailed technical information, please see the respective manual pages (type the following commands at the system prompt): man xauth man xrsh man xsu