Thanks Glynn, these are some good options.
Is there a way to secure Xvfb during an installation from source, such
as during ./configure?
Thanks,
Billy Wilson
On 01/14/2015 05:09 AM, Glynn Clements wrote:
Billy Wilson wrote:
I have a question about using Xvfb securely on a multi-user system. We
are currently using xorg-x11-server-Xvfb-1.10.4-6.el6.x86_64. Our main
reason for using Xvfb is to accommodate one of our users, whose
scientific computing software requires an X server for some reason.
My concern is that if the non-privileged user runs the following: `Xvfb
:1 -screen 0 800x600x24+1`
Any user on the system is able to export DISPLAY=:1 and run programs
that connect to his dummy X server. I'm aware of auth file and xhost
mechanisms for access control, but I was wondering how I can have Xvfb
restrict connections strictly to the user, by default.
In other words: How can I prevent an uninformed user from using the Xvfb
defaults and opening X to the world?
One option is to rename Xvfb and replace it with a script which starts
Xvfb proper with the appropriate arguments.
Another would be to replace Xvfb with Xvnc, started from the display
manager. This will require the user to log in interactively, as with
any other X server.
_______________________________________________
xorg@lists.x.org: X.Org support
Archives: http://lists.freedesktop.org/archives/xorg
Info: http://lists.x.org/mailman/listinfo/xorg
Your subscription address: %(user_address)s
