S 4.9 Use of the security mechanisms of X Windows

Initiation responsibility: IT Security Management, Administrators

Implementation responsibility: Administrators

Release 5 of the X-Window software offers only a few features enhancing security in case of data transmission between the X-Server and the X-Client, this means that use of X-Windows software can only be recommended for secure environments.

• Computer-specific access control: Each X server comprises a list of approved computers, which can be altered with the xhost command. It must, by all accounts, be confined to those computers which must have access to the X server, and in no case should universal access with xhost +be allowed. Moreover, it should be borne in mind that every user has unrestricted access to the X server on any of the computers that have been approved.
• User-specific access control: The X server process can be configured in such a way that in case of a log-in (e.g. by means of xdm) a key will be generated which will be used for authentication for transmission between a client and a server. This key ( MAGIC COOKIE) will be filed in the home directory of the user in the Xauthority file and can, by means of the xauth command, be also transmitted to the X client. Whilst, however, the MIT MAGIC COOKIE mechanism must be regarded only as a type of password which can be intercepted during transmission, a mechanism offered in conjunction with NIS and working with a form of DES encryption offers greater security and should therefore be used wherever possible.

Using an additional program, key operations at a remote terminal can be translated into plain text and viewed under X-Windows. Use of the xterm program prevents the forwarding of key operations by suppressing the transmission of KeyPress events to further applications. For this, the secure keyboard option must be activated from the xterm menu to allow the corresponding window exclusive access to the keyboard.