On Tue, Jan 13, 2015 at 11:22 PM, Billy Wilson <billy_wil...@byu.edu> wrote: > Hi, > > I have a question about using Xvfb securely on a multi-user system. We are > currently using xorg-x11-server-Xvfb-1.10.4-6.el6.x86_64. Our main reason > for using Xvfb is to accommodate one of our users, whose scientific > computing software requires an X server for some reason. > > My concern is that if the non-privileged user runs the following: `Xvfb :1 > -screen 0 800x600x24+1` > > Any user on the system is able to export DISPLAY=:1 and run programs that > connect to his dummy X server. I'm aware of auth file and xhost mechanisms > for access control, but I was wondering how I can have Xvfb restrict > connections strictly to the user, by default. > > In other words: How can I prevent an uninformed user from using the Xvfb > defaults and opening X to the world?
See Xsecurity(7) manual page... the SUN-DES-1 MIT-KERBEROS-5 and ServerInterpreted auth (see $ xhost +si:localuser:root # example in the man page, likely your preference if you only need Xvfb locally) are user-to-user authentification mechanisms... ---- Bye, Roland -- __ . . __ (o.\ \/ /.o) roland.ma...@nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /==\ O\ TEL +49 641 3992797 (;O/ \/ \O;) _______________________________________________ xorg@lists.x.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.x.org/mailman/listinfo/xorg Your subscription address: %(user_address)s
