Fermilab Computing Sector

Configuring X to not listen to the network

sidemenu
Policy Guidelines

Restricted Access
Posting from Troy Dawson to linux-users on 3/1/2005:

Howdy,
Even though most people do not have have any entries in the list of
machines that X will listen to, that doesn't mean that X isn't actually
listening on the network.

Try doing an
netstat -ap | grep LISTEN | grep x11
and you should see it.

Does that mean your machine can be compromised? No, not really, as long
as you keep yum turned on.
Does that mean that one of your users can open up your machine? Yes.
Basically bad things can happen if a user carelessly does an 'xhost +'

Can you make X not listen on the network at all? Yes
Will that break anything? Only if the users have a legitimate reason to
be doing an 'xhost +<ipaddress>'

How do I do it?
For a normal LTS 3.0.x, and S.L. 3.0.x machine, there are two file that
you have to add and/or edit.

1-Edit /etc/X11/gdm/gdm.conf and change the following section

[server-Standard]
name=Standard server
command=/usr/X11R6/bin/X
flexible=true

to

[server-Standard]
name=Standard server
command=/usr/X11R6/bin/X -nolisten tcp
flexible=true


2-Edit or add the file /etc/X11/xinit/xserverrc It should say

#!/bin/sh
exec /usr/X11R6/bin/X -nolisten tcp "$@"


3-Restart X ... I mean really restart X.
In my experience, if I was just logging out and back in, X was staying
up enough to not reload. Also doing a <Ctrl>-<Alt>-<Backspace>, X would
restart fast enough that it also wasn't letting go of the tcp socket.
Basically I had to either reboot the machine, or do an 'init 3' and then
kill all the leftover X stuff that wasn't ending ... except for xfs (X
Font Server).

Troy
p.s. As a side note. RedHat has this turned off by default in RHEL 4,
and so it will be turned off by default in S.L. 4.x

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by TR on July 13, 2006.
(Address comments about page to the Computer Security Team.)