Billy Wilson wrote: > I have a question about using Xvfb securely on a multi-user system. We > are currently using xorg-x11-server-Xvfb-1.10.4-6.el6.x86_64. Our main > reason for using Xvfb is to accommodate one of our users, whose > scientific computing software requires an X server for some reason. > > My concern is that if the non-privileged user runs the following: `Xvfb > :1 -screen 0 800x600x24+1` > > Any user on the system is able to export DISPLAY=:1 and run programs > that connect to his dummy X server. I'm aware of auth file and xhost > mechanisms for access control, but I was wondering how I can have Xvfb > restrict connections strictly to the user, by default. > > In other words: How can I prevent an uninformed user from using the Xvfb > defaults and opening X to the world?
One option is to rename Xvfb and replace it with a script which starts Xvfb proper with the appropriate arguments. Another would be to replace Xvfb with Xvnc, started from the display manager. This will require the user to log in interactively, as with any other X server. -- Glynn Clements <gl...@gclements.plus.com> _______________________________________________ xorg@lists.x.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.x.org/mailman/listinfo/xorg Your subscription address: %(user_address)s
