[SHR] X forwarding: export DISPLAY?

Xavier Cremaschi omega.xavier at gmail.com
Wed Aug 18 15:36:40 CEST 2010


Le 18/08/2010 13:08, Sebastian Krzyszkowiak a écrit :
> 
> Maybe we should enable it by default? Are there any disadventages?
> 

Some security issues (some side effects) but I don't think it's relevant
for us.


Basically on your computer when $DISPLAY is :0.0 your X server is
listening to a UNIX socket (/tmp/.X11-unix/X0 indeed, you can check your
/tmp)

When you do some X11 forwarding there are 2 things :
- a network connection between X client (on "faraway" machine) and X
server (on "here" machine)
- an authentication




With the 'old school' system (cf. my previous message) you do :
    faraway$  DISPLAY=here:0 my_application
to establish the (non-encrypted) connection between "faraway" and "here"

For the authentication, your X server usually accepts the X client from
faraway because you did a :
    here$  xhost +faraway



But that's for the 'old school' system. Now what about ssh -X ?
While doing ssh -X to go on your Freerunner, you can see your
Freerunner's $DISPLAY is :10.0, which corresponds to a local TCP socket
(local on Freerunner) opened by the ssh server.

faraway$  lsof -ni TCP:6010
  COMMAND   PID USER   FD   TYPE DEVICE SIZE NODE NAME
  sshd    15663 root    9u  IPv4 437835       TCP 127.0.0.1:6010(LISTEN)

Any connection to 127.0.0.1:6010/TCP will be redirected through ssh from
your freerunner to your computer's /tmp/.X11-unix/X0 socket.

That's for the (encrypted) connection.

For authentication, there is a secret shared between X server and X
clients called "magic-cookie" and managed by the xauth application.

You can do "xauth list $DISPLAY" on your computer to see it. This secret
is stored in ~/.Xauthority (be careful with permission on this file)
If you do a ssh -X -vv (verbose) you will see your ssh client calling
xauth to get this magic-cookie (something like "debug2: x11_get_proto:
/usr/bin/X11/xauth  list :0.0 . 2>/dev/null")



So why some distributions set X11Forwarding to 'no' ?

Because if your Freerunner is *compromised*, someone can control the
Xauthority file and therefore he can connect to the 6010/TCP socket.
Which is linked to your computer's UNIX socket.
==> he has a kind a "back channel" to access to your computer's X server.


Xavier.








More information about the community mailing list