My solution for preventing xhost +
From: Small, Jim (jim.small@eds.com)Date: 07/15/02
- Previous message: Alan Coopersmith: "Re: dtlogin and secure access control"
- Next in thread: Alan Coopersmith: "Re: My solution for preventing xhost +"
- Reply: Alan Coopersmith: "Re: My solution for preventing xhost +"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Small, Jim" <jim.small@eds.com> To: focus-sun@securityfocus.com Date: Mon, 15 Jul 2002 13:13:05 -0400
A while back I posted a question on how to prevent a user/administrator
(root) from running xhost + and thereby exposing an/the X server.
I received many great suggestions and based on the circumstances I decided
to write a wrapper script that parses the command line arguments for a stand
alone + (xhost +). If the script detects this condition, it complains about
a security policy violation and logs the attempt. I wrote an installation
script that moves /usr/openwin/bin/xhost to /usr/openwin/bin/xacls and
installs the wrapper script as /usr/openwin/bin/xhost.
I realize this solution is not perfect as a root user could bypass it.
However, as many pointed out, a root user can by pass anything else too. At
least this will warns administrators who don't realize that xhost + is bad
that is is forbidden.
Someone pointed out that I could get the source code and alter it to prevent
xhost +. However I don't like this because:
1) I don't know if I am even capable of coding this
2) I could introduce subtle changes from the Sun version that could cause
problems
Nonetheless, it is still a good idea, especially if you're an X windows
coder.
Someone also had the excellent idea of installing a packet filter such as
SunScreen or IPFilter and then blocking/logging port 6000. This is really
the ultimate solution. In the future I will definitely explore this as I
think host based firewalls are the best security solution.
I also had some suggestions to use cron to check for and even correct the
situation. This is an interesting idea that I have not explored. I
especially like the idea of periodically auditing the local server for the
access control disabled condition.
Many people suggested using ssh. While ssh is a great way to secure X
traffic, it really doesn't address this problem. Even if you forward you X
traffic through ssh, someone can still do an xhost + and leave your X server
vulnerable/open.
May people also correctly pointed out that this is a policy issue. The
security policy must be clearly defined and enforced. I am inclined to
agree but I am not a manager and can't fire people. However I do believe
this script is a reasonable attempt to warn about/control xhost. If someone
goes around this, then I doubt anything else would stop them either.
Finally someone had the idea of going through the list of hosts and altering
the background of their X server to say they are evil because they disabled
access control or something along those lines. This is also an interesting
idea although in our case we have Intrusion Detection software running that
scans for an "open" X server port. That's why I have to protect the
administrators from themselves...
I am including the script and the installation script in case anyone is
curious. If you run the installation script, you will have to comment out
the ". ckbu.ksh" and the checkf lines. Ckbu.ksh is a script I wrote a
backup files and checkf is a function in it to backup files. If anyone has
any comments, suggestions for improvement, or questions, please let me know.
Thanks and I hope this is helpful,
<> Jim
--- --(xhost wrapper script)-- #! /bin/ksh# Security wrapper script for xhost
# Debugging: # set -x
# Variables CMD=`basename $0` ARGS="$*" WHO=`who -m` ID=`id` XACCON="access control enabled, only authorized clients can connect" XACCOFF="access control disabled, clients can connect from any host" LOGFAC="user" # Note that user.warning is not logged by default in syslog.conf # In order to have xhost + logged, syslog.conf must be changed or # the Log Level must be set to err #LOGLVL="err" LOGLVL="warning" XHCMD="/usr/openwin/bin/xacls" ACCSTAT=`$XHCMD 2>/dev/null | head -1`
# Verify that access control is not disabled if [ "$ACCSTAT" = "$XACCOFF" ]; then logger -i -p ${LOGFAC}.${LOGLVL} "Warning: X Server Access Control detected as disabled from xhost script."
echo "Warning: X Server Access Control detected as disabled." echo "Re-enabling access control per Security Policy."
$XHCMD - >/dev/null 2>&1 fi
# Check for + in any of the args for xhost... if [ $# -gt 0 ]; then for arg in $* do echo $arg | grep '+' >/dev/null 2>&1 if [ $? -eq 0 ]; then if [ "$arg" = "+" ]; then logger -i -p ${LOGFAC}.${LOGLVL} "$CMD $ARGS attempted by $WHO ($ID)" echo "" echo "Security Policy Violation" echo "" echo "Your attempt to disable access control for the local X server:" echo "$CMD $ARGS" echo "has been logged." echo "" echo "xhost + is strictly forbidden. If ssh is available, you must use X" echo "Forwarding. If not, then use the following syntax:" echo "xhost clienthost (to allow temporary local X Server access from host" echo "clienthost)" echo "" echo "xhost -clienthost (when local X Server access from host clienthost" echo "is no longer needed)" echo "" echo "Do not forget to remove any host or other entity added to the access" echo "control list before you logout." echo "" echo "Note that random checks are performed for X Servers." echo "If you are using an X Server and it is discovered that access control" echo "has been disabled, (xhost +) you will be subject to disciplinary" echo "action up to and including termination." echo "" exit 2 fi elif [ "$arg" = "-help" ]; then echo "usage: $CMD [[+-]hostname ...]"
exit 1 fi if [ ${DISPLAY} -a ! -z ${DISPLAY} ]; then $XHCMD $arg else echo "$CMD"': unable to open display ""'
exit 1 fi done else if [ ${DISPLAY} -a ! -z ${DISPLAY} ]; then $XHCMD else echo "$CMD"': unable to open display ""'
exit 1 fi fi
--(xhost wrapper installation script)-- #! /bin/ksh
# Debugging # set -x
# # Purpose of script: # Secure xhost command and log xhost + # # Author: # Jim Small # # Revisions: # 07/12/2002 - Script Created #
# Setup environment: export PATH=/usr/bin:/usr/sbin:/sbin:.:$PATH XHOSTP="/usr/openwin/bin" XHOSTF="xhost" XHOSTN="xacls" . ckbu.ksh
# Variables:
# Extract embedded xhost replacement script extract_xhw () { uudecode << '@EOF' begin 755 xhost.wrapper M(R$@+V)I;B]K<V@*"B,@4V5C=7)I='D@=W)A<'!E<B!S8W)I<'0@9F]R('AH M;W-T"@HC($1E8G5G9VEN9SH*(R!S970@+7@*"B,@5F%R:6%B;&5S"D--1#U@ M8F%S96YA;64@)#!@"D%21U,](B0J(@I72$\]8'=H;R M;6 *240]8&ED8 I8 M04-#3TX](F%C8V5S<R!C;VYT<F]L(&5N86)L960L(&]N;'D@875T:&]R:7IE M9"!C;&EE;G1S(&-A;B!C;VYN96-T(@I804-#3T9&/2)A8V-E<W,@8V]N=')O M;"!D:7-A8FQE9"P@8VQI96YT<R!C86X@8V]N;F5C="!F<F]M(&%N>2!H;W-T M(@I,3T=&04,](G5S97(B"B,@3F]T92!T:&%T('5S97(N=V%R;FEN9R!I<R!N M;W0@;&]G9V5D(&)Y(&1E9F%U;'0@:6X@<WES;&]G+F-O;F8*(R!);B!O<F1E M<B!T;R!H879E('AH;W-T("L@;&]G9V5D+"!S>7-L;V<N8V]N9B!M=7-T(&)E M(&-H86YG960@;W(*(R!T:&4@3&]G($QE=F5L(&UU<W0@8F4@<V5T('1O(&5R M<@HC3$]'3%9,/2)E<G(B"DQ/1TQ63#TB=V%R;FEN9R(*6$A#340](B]U<W(O M;W!E;G=I;B]B:6XO>&%C;',B"D%#0U-4050]8"182$--1" R/B]D978O;G5L M;"!\(&AE860@+3%@"@HC(%9E<FEF>2!T:&%T(&%C8V5S<R!C;VYT<F]L(&ES M(&YO="!D:7-A8FQE9 II9B!;("(D04-#4U1!5"(@/2 B)%A!0T-/1D8B(%T[ M('1H96X*"6QO9V=E<B M:2 M<" D>TQ/1T9!0WTN)'M,3T=,5DQ](")787)N M:6YG.B @6"!397)V97(@06-C97-S($-O;G1R;VP@9&5T96-T960@87,@9&ES M86)L960@9G)O;2!X:&]S="!S8W)I<'0N(@H*"65C:&\@(E=A<FYI;F<Z("!8 M(%-E<G9E<B!!8V-E<W,@0V]N=')O;"!D971E8W1E9"!A<R!D:7-A8FQE9"XB M"@EE8VAO(")292UE;F%B;&EN9R!A8V-E<W,@8V]N=')O;"!P97(@4V5C=7)I M='D@4&]L:6-Y+B(*"@DD6$A#340@+2 ^+V1E=B]N=6QL(#(^)C$*9FD*"B,@ M0VAE8VL@9F]R("L@:6X@86YY(&]F('1H92!A<F=S(&9O<B!X:&]S="XN+@II M9B!;("0C("UG=" P(%T[('1H96X*"69O<B!A<F<@:6X@)"H*"61O"@D)96-H M;R D87)G('P@9W)E<" G*R<@/B]D978O;G5L;" R/B8Q"@D):68@6R D/R M M97$@,"!=.R!T:&5N"@D)"6EF(%L@(B1A<F<B(#T@(BLB(%T[('1H96X*"0D) M"6QO9V=E<B M:2 M<" D>TQ/1T9!0WTN)'M,3T=,5DQ]("(D0TU$("1!4D=3 M(&%T=&5M<'1E9"!B>2 D5TA/("@D240I(@H)"@D)"0EE8VAO("(B"@D)"0EE M8VAO(")396-U<FET>2!0;VQI8WD@5FEO;&%T:6]N(@H)"0D)96-H;R B(@H) M"0D)96-H;R B66]U<B!A='1E;7!T('1O(&1I<V%B;&4@86-C97-S(&-O;G1R M;VP@9F]R('1H92!L;V-A;"!8('-E<G9E<CHB"@D)"0EE8VAO("(D0TU$("1! M4D=3(@H)"0D)96-H;R B:&%S(&)E96X@;&]G9V5D+B(*"0D)"65C:&\@(B(* M"0D)"65C:&\@(GAH;W-T("L@:7,@<W1R:6-T;'D@9F]R8FED9&5N+B @268@ M<W-H(&ES(&%V86EL86)L92P@>6]U(&UU<W0@=7-E(%@B"@D)"0EE8VAO(")& M;W)W87)D:6YG+B @268@;F]T+"!T:&5N('5S92!T:&4@9F]L;&]W:6YG('-Y M;G1A>#HB"@D)"0EE8VAO(")X:&]S="!C;&EE;G1H;W-T("AT;R!A;&QO=R!T M96UP;W)A<GD@;&]C86P@6"!397)V97(@86-C97-S(&9R;VT@:&]S="(*"0D) M"65C:&\@(F-L:65N=&AO<W0I(@H)"0D)96-H;R B(@H)"0D)96-H;R B>&AO M<W0@+6-L:65N=&AO<W0@*'=H96X@;&]C86P@6"!397)V97(@86-C97-S(&9R M;VT@:&]S="!C;&EE;G1H;W-T(@H)"0D)96-H;R B:7,@;F\@;&]N9V5R(&YE M961E9"DB"@D)"0EE8VAO("(B"@D)"0EE8VAO(")$;R!N;W0@9F]R9V5T('1O M(')E;6]V92!A;GD@:&]S="!O<B!O=&AE<B!E;G1I='D@861D960@=&\@=&AE M(&%C8V5S<R(*"0D)"65C:&\@(F-O;G1R;VP@;&ES="!B969O<F4@>6]U(&QO M9V]U="XB"@D)"0EE8VAO("(B"@D)"0EE8VAO(").;W1E('1H870@<F%N9&]M M(&-H96-K<R!A<F4@<&5R9F]R;65D(&9O<B!8(%-E<G9E<G,N(@H)"0D)96-H M;R B268@>6]U(&%R92!U<VEN9R!A;B!8(%-E<G9E<B!A;F0@:70@:7,@9&ES M8V]V97)E9"!T:&%T(&%C8V5S<R!C;VYT<F]L(@H)"0D)96-H;R B:&%S(&)E M96X@9&ES86)L960L("AX:&]S=" K*2!Y;W4@=VEL;"!B92!S=6)J96-T('1O M(&1I<V-I<&QI;F%R>2(*"0D)"65C:&\@(F%C=&EO;B!U<"!T;R!A;F0@:6YC M;'5D:6YG('1E<FUI;F%T:6]N+B(*"0D)"65C:&\@(B(*"0H)"0D)97AI=" R M"@D)"69I"@D)96QI9B!;("(D87)G(B ]("(M:&5L<"(@73L@=&AE;@H)"0EE M8VAO(")U<V%G93H@)$--1"!;6RLM76AO<W1N86UE("XN+ETB"@H)"0EE>&ET M(#$*"0EF:0H)"@D):68@6R D>T1)4U!,05E]("UA("$@+7H@)'M$25-03$%9 M?2!=.R!T:&5N"@D)"2182$--1" D87)G"@D)96QS90H)"0EE8VAO("(D0TU$ M(B<Z("!U;F%B;&4@=&\@;W!E;B!D:7-P;&%Y("(B)PH*"0D)97AI=" Q"@D) M9FD*"61O;F4*96QS90H):68@6R D>T1)4U!,05E]("UA("$@+7H@)'M$25-0 M3$%9?2!=.R!T:&5N"@D))%A(0TU$"@EE;'-E"@D)96-H;R B)$--1"(G.B @ M=6YA8FQE('1O(&]P96X@9&ES<&QA>2 B(B<*"@D)97AI=" Q"@EF:0IF:0H* end @EOF
chmod 755 xhost.wrapper chown root:bin xhost.wrapper touch -r ${XHOSTP}/${XHOSTF} xhost.wrapper }
# Replace xhost with secure equivalent secxh () { mv ${XHOSTP}/${XHOSTF} ${XHOSTP}/${XHOSTN} mv xhost.wrapper ${XHOSTP}/${XHOSTF} }
# Main script processing: checkf ${XHOSTP}/${XHOSTF}
extract_xhw secxh
---
Jim Small EDS - Infrastructure Integrity MS 5D 750 Tower Dr. Troy, MI 48098-2868 * phone: +01-248-265-4863 [8-365] * mailto:jim.small@eds.com
- Previous message: Alan Coopersmith: "Re: dtlogin and secure access control"
- Next in thread: Alan Coopersmith: "Re: My solution for preventing xhost +"
- Reply: Alan Coopersmith: "Re: My solution for preventing xhost +"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
