[SHR] X forwarding: export DISPLAY?
omega.xavier at gmail.com
Wed Aug 18 15:36:40 CEST 2010
Le 18/08/2010 13:08, Sebastian Krzyszkowiak a écrit :
> Maybe we should enable it by default? Are there any disadventages?
Some security issues (some side effects) but I don't think it's relevant
Basically on your computer when $DISPLAY is :0.0 your X server is
listening to a UNIX socket (/tmp/.X11-unix/X0 indeed, you can check your
When you do some X11 forwarding there are 2 things :
- a network connection between X client (on "faraway" machine) and X
server (on "here" machine)
- an authentication
With the 'old school' system (cf. my previous message) you do :
faraway$ DISPLAY=here:0 my_application
to establish the (non-encrypted) connection between "faraway" and "here"
For the authentication, your X server usually accepts the X client from
faraway because you did a :
here$ xhost +faraway
But that's for the 'old school' system. Now what about ssh -X ?
While doing ssh -X to go on your Freerunner, you can see your
Freerunner's $DISPLAY is :10.0, which corresponds to a local TCP socket
(local on Freerunner) opened by the ssh server.
faraway$ lsof -ni TCP:6010
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 15663 root 9u IPv4 437835 TCP 127.0.0.1:6010(LISTEN)
Any connection to 127.0.0.1:6010/TCP will be redirected through ssh from
your freerunner to your computer's /tmp/.X11-unix/X0 socket.
That's for the (encrypted) connection.
For authentication, there is a secret shared between X server and X
clients called "magic-cookie" and managed by the xauth application.
You can do "xauth list $DISPLAY" on your computer to see it. This secret
is stored in ~/.Xauthority (be careful with permission on this file)
If you do a ssh -X -vv (verbose) you will see your ssh client calling
xauth to get this magic-cookie (something like "debug2: x11_get_proto:
/usr/bin/X11/xauth list :0.0 . 2>/dev/null")
So why some distributions set X11Forwarding to 'no' ?
Because if your Freerunner is *compromised*, someone can control the
Xauthority file and therefore he can connect to the 6010/TCP socket.
Which is linked to your computer's UNIX socket.
==> he has a kind a "back channel" to access to your computer's X server.
More information about the community