"xhost +" in startup apps not security issue?

[billp]

I looked in the startup apps to stop something that was running every startup, and noticed "xhost +" as a startup app... Several websites warn that this could be a security risk, so I was wondering if there's a good reason not to disable it?

Thanks in advance!

[xenopeek]

xhost + opens your X server (your screen + keyboard + mouse) to be used by other X clients. So somebody could have a program run on their own computer but send output to your screen, and receive input from your keyboard and mouse. Again, the program does not run on your computer or have access to your files.

You can safely disable it in Startup Applications, in which case xhost defaults to "xhost -". You can check after logout/login what the current settings are by running xhost on the terminal. It should output something like:

Code: Select all

access control enabled, only authorized clients can connect
SI:localuser:vincent

Important part is that access control is enabled.

[billp]

Thanks for the answer. I guess I'm still curious why it was in startup apps in the first place. I checked my linux mint live cd, and it was there also. Is it standard with linux mint 13? If so, why?

[xenopeek]

Linux Mint comes by default with connectivity options enabled, giving the best out-of-the-box experience on the local network to new users by allowing remote desktop support, connecting to network printers, sharing files with others and more. Xhost + is part of those connectivity options. Your Internet router's firewall will block any attempt from outside the local network (i.e., the Internet) to reach your computer. So even with this service running, unless you specifically configure your Internet router's firewall to allow traffic from the Internet to go to this service on your computer, you are not at risk for remote attackers. This goes for all connectivity options (see here http://forums.linuxmint.com/viewtopic.p ... 77#p600177).

There is only a possible security issue with running the X server without access control on the local network. If you are on a public local network (like a WiFi hotspot somewhere outside your home), I recommend enabling Linux Mint's firewall, and setting it to default deny incoming traffic. This will protect you on the local network also, unless you specifically configure a port on your computer to be reachable by others in that firewall.

[billp]

Thanks very much for that explanation.

[eighthave]

This is a really disappointing situation. I am a big believer in making things easier to use, that's why I just switched from Ubuntu to Mint. But this seems to me an egregious lapse in security, the kind that I only expect from Microsoft. It leaves Mint installs easily targeted by automated malware since its on by default, and will make it pretty easy for someone to make a malware botnet for Mint. Sure most people use their computers behind NATed routers, but many if not most people will also use their laptops on public wifi. And many universities use public IP addresses for all of their networks. Additionally there is some well known malware that gains control of consumer routers, so you can't really trust NATed networks either. And then there is targetted attacks...

If you are insistant that Mint include "xhost +" in its default config, at the very least the firewall needs to be on and blocking the relevant ports by default.

[eighthave]

I looked around a bit more and it doesn't look quite as bad as I originally though. It seems that the Xserver is configured with TCP connections off:

Code: Select all

/usr/bin/X :0 -audit 0 -auth /var/lib/mdm/:0.Xauth -nolisten tcp vt8

Therefore, as far as I know, remote connections aren't allowed even with xhost + So my guess is that means that this is much less of a security risk since things can only connect to the X server via UNIX sockets, but it does increase the risk of local programs running keyloggers or getting root access via exploits in the X server.

[eanfrid]

There is basically no security in Xserver: for example, run "xinput --list" in a console, read the line which designates the ID of your keyboard, then run "xinput --test (keyboard ID)" and you will be logging all keypresses in all X apps, including those made under either a root account or sudo in another Xterm

[SamuraiMark]

There is basically no security in Xserver: for example, run "xinput --list" in a console, read the line which designates the ID of your keyboard, then run "xinput --test (keyboard ID)" and you will be logging all keypresses in all X apps, including those made under either a root account or sudo in another Xterm

That is not a demonstration of "no security in Xserver". Of course you have full access to whatever is happening on your own X desktop, including terminal windows you have opened, whether they are running as root or otherwise.

- Mark