"xhost +" in startup apps not security issue?

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read this

"xhost +" in startup apps not security issue?

Postby billp on Sat Jun 30, 2012 2:33 pm

I looked in the startup apps to stop something that was running every startup, and noticed "xhost +" as a startup app... Several websites warn that this could be a security risk, so I was wondering if there's a good reason not to disable it?

Thanks in advance!
billp
Level 1
Level 1
 
Posts: 6
Joined: Thu Jun 28, 2012 11:39 pm

Linux Mint is funded by ads and donations.
 

Re: "xhost +" in startup apps not security issue?

Postby xenopeek on Sat Jun 30, 2012 3:09 pm

xhost + opens your X server (your screen + keyboard + mouse) to be used by other X clients. So somebody could have a program run on their own computer but send output to your screen, and receive input from your keyboard and mouse. Again, the program does not run on your computer or have access to your files.

You can safely disable it in Startup Applications, in which case xhost defaults to "xhost -". You can check after logout/login what the current settings are by running xhost on the terminal. It should output something like:
Code: Select all
access control enabled, only authorized clients can connect
SI:localuser:vincent

Important part is that access control is enabled.
User avatar
xenopeek
Level 21
Level 21
 
Posts: 15049
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: "xhost +" in startup apps not security issue?

Postby billp on Sat Jun 30, 2012 3:55 pm

Thanks for the answer. I guess I'm still curious why it was in startup apps in the first place. I checked my linux mint live cd, and it was there also. Is it standard with linux mint 13? If so, why?
billp
Level 1
Level 1
 
Posts: 6
Joined: Thu Jun 28, 2012 11:39 pm

Re: "xhost +" in startup apps not security issue?

Postby xenopeek on Sat Jun 30, 2012 5:07 pm

Linux Mint comes by default with connectivity options enabled, giving the best out-of-the-box experience on the local network to new users by allowing remote desktop support, connecting to network printers, sharing files with others and more. Xhost + is part of those connectivity options. Your Internet router's firewall will block any attempt from outside the local network (i.e., the Internet) to reach your computer. So even with this service running, unless you specifically configure your Internet router's firewall to allow traffic from the Internet to go to this service on your computer, you are not at risk for remote attackers. This goes for all connectivity options (see here viewtopic.php?f=18&t=106417&p=600177#p600177).

There is only a possible security issue with running the X server without access control on the local network. If you are on a public local network (like a WiFi hotspot somewhere outside your home), I recommend enabling Linux Mint's firewall, and setting it to default deny incoming traffic. This will protect you on the local network also, unless you specifically configure a port on your computer to be reachable by others in that firewall.
User avatar
xenopeek
Level 21
Level 21
 
Posts: 15049
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: "xhost +" in startup apps not security issue?

Postby billp on Sat Jun 30, 2012 7:33 pm

Thanks very much for that explanation.
billp
Level 1
Level 1
 
Posts: 6
Joined: Thu Jun 28, 2012 11:39 pm

Re: "xhost +" in startup apps not security issue?

Postby eighthave on Mon Jul 16, 2012 2:00 pm

This is a really disappointing situation. I am a big believer in making things easier to use, that's why I just switched from Ubuntu to Mint. But this seems to me an egregious lapse in security, the kind that I only expect from Microsoft. It leaves Mint installs easily targeted by automated malware since its on by default, and will make it pretty easy for someone to make a malware botnet for Mint. Sure most people use their computers behind NATed routers, but many if not most people will also use their laptops on public wifi. And many universities use public IP addresses for all of their networks. Additionally there is some well known malware that gains control of consumer routers, so you can't really trust NATed networks either. And then there is targetted attacks...

If you are insistant that Mint include "xhost +" in its default config, at the very least the firewall needs to be on and blocking the relevant ports by default.
eighthave
Level 1
Level 1
 
Posts: 2
Joined: Mon Jul 16, 2012 1:47 pm

Re: "xhost +" in startup apps not security issue?

Postby eighthave on Mon Jul 16, 2012 2:32 pm

I looked around a bit more and it doesn't look quite as bad as I originally though. It seems that the Xserver is configured with TCP connections off:

Code: Select all
/usr/bin/X :0 -audit 0 -auth /var/lib/mdm/:0.Xauth -nolisten tcp vt8


Therefore, as far as I know, remote connections aren't allowed even with xhost + So my guess is that means that this is much less of a security risk since things can only connect to the X server via UNIX sockets, but it does increase the risk of local programs running keyloggers or getting root access via exploits in the X server.
eighthave
Level 1
Level 1
 
Posts: 2
Joined: Mon Jul 16, 2012 1:47 pm

Re: "xhost +" in startup apps not security issue?

Postby eanfrid on Mon Jul 16, 2012 5:36 pm

There is basically no security in Xserver: for example, run "xinput --list" in a console, read the line which designates the ID of your keyboard, then run "xinput --test (keyboard ID)" and you will be logging all keypresses in all X apps, including those made under either a root account or sudo in another Xterm ;)
Main desktop: Debian GNU/Linux Wheezy 64bit - MATE 1.8.1
(i5 2400@3.7GHz - 16GB DDR3 - HD6770 w/radeon driver - SSD+RAID1)
Safer than Dropbox
User avatar
eanfrid
Level 7
Level 7
 
Posts: 1871
Joined: Mon Apr 30, 2012 2:49 am
Location: FR

Re: "xhost +" in startup apps not security issue?

Postby SamuraiMark on Thu Aug 02, 2012 1:30 pm

eanfrid wrote:There is basically no security in Xserver: for example, run "xinput --list" in a console, read the line which designates the ID of your keyboard, then run "xinput --test (keyboard ID)" and you will be logging all keypresses in all X apps, including those made under either a root account or sudo in another Xterm ;)


That is not a demonstration of "no security in Xserver". Of course you have full access to whatever is happening on your own X desktop, including terminal windows you have opened, whether they are running as root or otherwise.

- Mark
User avatar
SamuraiMark
Level 1
Level 1
 
Posts: 37
Joined: Tue Jan 11, 2011 10:45 pm
Location: Kingston, Ontario, Canada

Linux Mint is funded by ads and donations.
 

Return to Newbie Questions

Who is online

Users browsing this forum: ClutchDisc and 23 guests