[vox-tech] xhost+: Why you should NEVER DO THAT

Richard Harke rharke at earthlink.net
Sat Mar 19 00:59:16 PST 2005


On Friday 18 March 2005 19:37, Karsten M. Self wrote:
> on Fri, Mar 18, 2005 at 06:08:04PM -0800, Richard Harke 
(rharke at earthlink.net) wrote:
> > On Friday 18 March 2005 16:12, Karsten M. Self wrote:
> > > The history of secure applications development is largely divided into
> > > two groups:
> > >
> > >  1. Those who anticipate hostile environments, design for scenarios in
> > >     which no two components trust one another, and correctly implement
> > >     failsafe, trust, integrity, and encryption procedures.
> > >
> > >  2. Those who've been the source of multiple compromises.
> > >
> > >
> > > Paranoia pays off here.  Safe practices pay off.  Even those who _are_
> > > paranoid and cautious suffer breakins (the good ones will let you know
> > > that this has happened).  The truely frightening are those who deny the
> > > problem exists _and_ fail to recongize a compromise when they see it.
> >
> > When I first installed firefox it refused to run.
>
> You don't provide any specifics on the problem or why it refused to run.
>
> Nor is there a record of your encountering this problem on the LUGoD
> lists or in Google (based on your first+last name and keyword
> 'firefox').
>
> I'm going to presume this was Firefox 0.9.x and your problem is similar to
> that described here:
>
>     http://lists.suse.com/archive/suse-kde/2004-Aug/0122.html
>
> Specifically quoting a readme file:
>
>     Because of missing registration features in firefox 0.9.x you have
>     to start firefox as root the first time after installation.
>
>     If you get a message like
>     -----8<------------------snip--------------8<--------------
>     Xlib: connection to ":0.0" refused by server
>     Xlib: XDM authorization key matches an existing client!
>     ----->8------------------snap-------------->8--------------
>
>     you have to disable the X authorization with command
>     'xhost +' and startup firefox.
>     After the initial startup you can close your X session
>     again by 'xhost -' and you should be able to start firefox
>     from now on without problems.
>
This is in fact the problem I had. I never saw the readme though and
never did try to start firefox as root. After xhost + I could start
firefox as a user but after I did xhost -, it would not start. This has 
changed since I did the update. That is, it refused to run. I did xhost +
It would run. I did xhost - and it still runs. I still have not run it as
root.
My first installation was some time after version 1.0 was announced
but I didn't check the version at debian.
> > After googling about I found the advice to do xhost +.
>
> Best I can tell (I don't have the broken Firefox build on my system, and
> never encountered it), so this is based on general experience:
>
>   - The xhost advice is unnecessary.  The alternative I've mentioned in
>     this discussion -- running 'sux' or as root setting $DISPLAY and
>     merging the user's ~/.xauthority file -- would be sufficient.
>     'xhost +' is faster and easier, but remains bad advice.  I'm not
>     sure if SuSE ships with 'sux', but tool ommissions in other areas on
>     a recent SuSE 9.1 build don't impress me.
>
>   - This is a fix which is local to the system at hand.  'xhost +
>     localhost' would probably also have worked, and would have _not_
>     dropped all access security to your X display.
>
>   - On a sanely configured X server, not listening to external TCP
>     traffic, even running 'xhost +' would not open you up to external
>     hosts, due to your server settings.  This is where Mark Kim's advice
>     is mind-bogglingly inappropriate:  not only is it overtly harmful
>     (in the event of a misconfigured X server), but (in the case of a
>     correctly configured one) it fails to address the problem at hand.
>
> Incidentally, if your X server _is_ listening to external TCPIP traffic,
> and you haven't explicitly configured it to do so yourself, you _should_
> write file a bug report.
>
> > Based on this thread I should have rejected the advice leaving me with
> > two alternatives:
> >
> > 1:   download the firefox source and debug it.
>
> That's your prerogative, and I'm sure the Firefox team would have
> appreciated your contribution.
>
> > 2:   apt-get purge firefox  (followed by a nasty email to somewhere)
>
> While I suspect there's a hint of tongue-in-cheek in your response, that
You're right
> would have been _fully_ appropriate.  Firefox shipped with a broken
> config (as noted in the README fragment quoted in the post referenced
> above), and supplied a workaround which is dangerous and highly
> questionable.
>
> You are, however, ommitting the several options available to you for
> running X applications as root which _don't_ involve inviting the world
> to your desktop:
As noted above, I didn't think about running firefox as root. Also, I have my 
system configured so I startx as a user after I login so I'm not sure how
the firefox readme would apply. (I assume most users have X started by
root immediately after booting up)
>
> 3:  'sux <commmand>'
>
> 4:  (su|sudo to root)
>     export DISPLAY=<display>;
>     xauth merge ~<USER>/.xauthority; command
>
> 5:  ssh -X root at localhost
>
>
> Note that 4 and 5 raise additional issues,  I'd deprecate 'su' in favor
> of 'sudo' as a general rule, and disallow remote root logins.  On a
> single-user system these are less aggregious than the 'xhost +' inanity,
> but should still be avoided if at all possible (and it most definitely
> _is_ at all possible).  In balance, 'sux' is probably the best mix of
> sufficient (fixes the immediate problem), safe, and simple.
>
> Good security practices are in very large part a matter of making an
> explicit effort to Do The Right Thing[tm] whenever possible.  It keeps
> you out of bad habits.  Being overtly secure when you don't absolutely
> have to be (personal system, home LAN, trusted network) means that
> you'll be doing the right thing, by habit, when it _does_ matter.
>
>
> Peace.
Thanks for the explanations, I have learned a lot.
I guess I should have posted the problem here in the first place.
Richard


More information about the vox-tech mailing list