Security Question /tmp/.X11-pipe

Corné Beerse cbeerse "at" lycos.nl
Thu Mar 25 09:17:00 2004


Douglas Fisher wrote:

> In order to run vncserver on my Solaris machines I have to
> chmod 777 /tmp/.X11*
> or I get the error:
> Failed to establish all listening sockets
> (obviously when running the vncserver NOT as the root user)
> 
> Since these directories are created very late in the boot up process we had to add the following script to /etc/rc3.d (note the
> sleep 61, sleep 5 is too short)
> ===================
> #!/sbin/sh
> #
> 
> case "$1" in
> 'start')
>         echo Allowing vncserver permission to be run by all users
>         sleep 61
>         mkdir /tmp/.X11-pipe
>         mkdir /tmp/.X11-unix
>         chmod 777 /tmp/.X11-pipe
>         chmod 777 /tmp/.X11-unix
>         ;;
> 
> 'stop')
>         ;;
> 
> *)
>         echo "Usage: $0 { start | stop }"
>         exit 1
>         ;;
> esac
> exit 0
> ====================
> This seems more secure than doing a SUID root on the Xvnc binary.
> 
> I heard that chmod of the .X11-pipe is a security hole, but I am unclear about what the nature of the security hole is, can anyone
> elaborate?

It's both some kind of a security hole.
IF you have access to the tmpdirectory, then you might have access to the 
named-pipes (or sockets) as used in the X11 protocol/communicaiton. An exploit 
can be reading or writing to it and so get access to the screen, regardless of 
the used X11 server. Hence, you not only open the Xvnc-driven X11 displays but 
also the other ones.

If you set Xvnc to SETUID-root, you just give the process of Xvnc the root 
rights, even if it is started by any other user. Since you have the Xvnc source, 
you can at least see the security holes in there and see how this process can be 
abused to gain root access.

A way in the middle can be a dedicated UID (or GID) that handles the directory: 
Create a Xserver group, put the S-bit on the group for Xvnc and give this group 
proper access to the directory.

An other way can be to use a wraper script that sets Xvnc to the proper access 
in a more controlled way. This can also be done by using the inetd (xinetd) way 
to start X vnc (http://www.sourcecodecorner.com/articles/vnc/linux.asp).

Or by starting Xvnc just like the normal Xserver: (from my previous mail, 
details are for RHlinux, can be similar for Solaris)
'/etc/X11/xdm/Xservers': add the next lines (and comment out all others). 
WRAPWARNING: each line is either comment or it starts with the same word as it 
ends (:0 to :0 and :4 to :4).
     # disable the X session on the console
     #:0 local /usr/X11R6/bin/X
     # vncsession :0, using vncpassword from root.
     :0 ROOTVNC local /usr/bin/Xvnc -geometry 800x600 -depth 8 -rfbwait
         120000 -rfbauth /root/.vnc/passwd :0
     # vncsession :4, no vncpassword.
     :4 FREEVNC local /usr/bin/Xvnc -geometry 800x600 -depth 8 -rfbwait
         120000 -alwaysshared -dontdisconnect :4
Now restart the display manager (or the machine) and...




> 
> Is there a better way of getting Xvnc to run?
> _______________________________________________
> VNC-List mailing list
> VNC-List "at" realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list