Enabling X11 Access Control (Fixing xhost +)

Introduction

The number 1 rated high risk system vulnerability noted by the recent ISS audit of BNL was the use of "xhost +" or an open X display. Using "xhost +" allows anyone the ability to watch your keystrokes, capture windows and insert command strings into your windows. This situation is particularly bad when you have root access to a machine. There is no legitimate reason to run "xhost +". Most people will be using ssh to make their connections to other machines than their desktop and ssh tunnels X11 traffic, eliminating any need for "xhost +". To use turn on X11 forwarding with ssh call it like:

	ssh -X host.domain
This can be turned on by default by adding the following to $HOME/.ssh/config:
Host *.bnl.gov
ForwardX11 yes
Make sure of the following things:

Windows Machines Running eXceed Version 6.2 or better

On a Windows machine running eXceed, go into the "Security" part of "Xconfig", select "Enabled (no host access)" in the "Host Access Control List" part of the window and click "OK". If eXceed is running, you will lose all open windows when the X server gets reset.

Windows Machines Running older eXceed Versions

On Windows machine running version 6.1 or older of eXceed, the option listed above just shuts down the X server. There are two options, upgrade to a newer version (Current is 7.0) or use the "File" option. If you select the "File" option on the Xconfig security page, select the "Edit" button on that line and add

      127.0.0.1
to the end of the file. Save the file and click and click "OK". If eXceed is running, you will lose all open windows when the X server gets reset.

eXceed and No ssh

If you do not use ssh to make your X connections under eXceed (you really should), then you have to use the "File" method of security as outlines in the version 6.1 and older section and add all of the names of the machines from which you will be opening X applications to the xhost.txt file. Since this method only provides security at the host level, anyone on the machines you let in can watch your X sessions.

UNIX and Linux Machines

On Linux/UNIX machines, the "xhost +" command can be issued at many locations, so you will have to remember where you did it or find the location to turn it off (I believe that all recent version of the Linux X server have "xhost -" as the default). If you cannot find where the "xhost +" command is issued, adding a call to "xhost -" somewhere will turn it off.

Some of the most common files where you can find the "xhost +" command are in the X11 startup files. These file are

Also, doing a man xinit will give you more information on startup files which are executed when one starts up X11.

If you want to test to see whether you have fixed the "xhost +" problem on your systems, log into another unix computer, disable the ssh X11 encryption channel by resetting the $DISPLAY environment variable back to the server port 0 of your desk top, and then try starting up an xclock. For example, type the following commands

   ssh youraccount@yourfavoritunixserver.phy.bnl.gov
   setenv DISPLAY yourdesktop.phy.bnl.gov:0
   xclock
If an xclock pops up on your screen, you still have not properly enabled X11 access control. You should contact your computer liaison for further assistance.

Xterminals

To enable access control (set xhost -) on Tektronix Xterminals bring up the "Setup" menu (F3 key). In the "Configuration Summaries" pull down menu select "X Environment". On the X Environment page toggle "Enable Access Control" to "Yes". Return to the Main Menu and then "Save Settings to NVRAM". The terminal will now reject all X connections except those coming from the machine you connect to via XDM and those coming through tunnels to you XDM host created when you ssh to another machine. If you run "xhost +" on the XDM host, then you will again disable access control, so you should make sure that you do not do this in any of the X setup files (see the UNIX discussion above).

The following is an e-mail from Ofer Rind who tells us how to enable X11 authentication on NCD Xterminals. Thanks Ofer for you post.

------------
Disabling Xhost+ on an Xterminal

(NB: This was tried on both NCD and Textronix Xterminals and seemed to
work; however, your mileage may vary.  The description is for an NCD.)

Press Alt-F3 to pull up the Xterminal control bar.  Select "Change Setup
Parameters" from the "Setup" menu.  When the setup parameters window pops
up, select "Access Control."  This will expand the menu, revealing an
option called "Enable Access Control."  Turn this on by pressing the
adjacent square.  Then, at the bottom of setup window, press the "Apply"
button to effect the change.  This sometimes takes several seconds, be
patient.  When the arrow cursor returns, close the setup window and return
to your previously scheduled program.  X access control should now
(hopefully) be enabled.  NOTE that this access control can be superseded
by a user who logs in on the Xterm and sets "xhost +".

-------------


Tom Throwe
Brett Viren
Last modified: Fri Jul 18 14:09:40 EDT 2003