View previous topic :: View next topic |
Author |
Message |
coalms n00b
Joined: 28 Nov 2023 Posts: 21
|
Posted: Mon Dec 04, 2023 8:01 am Post subject: How do you harden Xorg if you do so? |
|
|
I have seen useflags for xorg-server being notably xcsecurity and suid, I have no idea what xcsecurity so it is disabled is and I am not sure about suid viability either, you would argue some programs are safer with a sticky bit but others are not in which case I haven't enabled it
no idea if any hardening is possible on xorg.conf other then modesetting drivers
-extension is something I have used as match as I can, since less is always more in securing except +extension SELINUX ofc
-nolisten as far as I know works only with tcp, every other protocol at least in /etc/protocols is probably not compiled in xorg
-pn and -nopn as far as I understand is for "error handling"
-query, -broadcast, -cookie is a probability , sending /dev/random to it probably so no one can guess the xdcmp pass, about that xdmcp, I do not know if this is always on or opt in feature and I do not know how to "disable" it for sure. thoughts? |
|
Back to top |
|
|
gorg86 Apprentice
Joined: 20 May 2011 Posts: 299
|
|
Back to top |
|
|
coalms n00b
Joined: 28 Nov 2023 Posts: 21
|
Posted: Tue Dec 05, 2023 1:30 am Post subject: |
|
|
brilliant thank you, I wonder why this is not the default, it being commented out with a second comment saying why and what it does, or a man entry or something ;/, nevertheless what is "OT"? |
|
Back to top |
|
|
gorg86 Apprentice
Joined: 20 May 2011 Posts: 299
|
Posted: Tue Dec 05, 2023 2:51 am Post subject: |
|
|
OT = off topic, because your question is network related. |
|
Back to top |
|
|
coalms n00b
Joined: 28 Nov 2023 Posts: 21
|
Posted: Tue Dec 05, 2023 8:11 am Post subject: |
|
|
gorg86 wrote: | OT = off topic, because your question is network related. |
oh nana you misunderstand, I am looking for hardening in any way, its just the network attack vector is more popular on xorg-server so i focused on that |
|
Back to top |
|
|
spare n00b
Joined: 13 Nov 2023 Posts: 3
|
Posted: Tue Dec 05, 2023 10:07 am Post subject: |
|
|
https://github.com/jjiolo/gentoo < - backup of a load of build scripts...
config/etc/self/b.init/system.dev
config/usr/bin/startx
config/etc/xinitrc
config/etc/self/c.server/x.<user>
config/etc/self/c.server/x.<user>
are current best effort to priv drop Xorg without systemd.
tl;dr
chown -R root:desktop /dev/input /dev/dri /dev/tty7
priv drops xorg-server to uid desktop
holds it open with exec sleep inifinite in /etc/xinitrc
then starts dwm on the priv dropped xorg server as the running user
Xephyr scripts do exactly the same thing to isolate uid:gid contexts
been running it for a while now seems to actually work ?
fairly sure if you overflow the keyboard input queue
then move the mouse to another Xephyr window
it injects keystrokes into that uid: context : / |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54259 Location: 56N 3W
|
Posted: Tue Dec 05, 2023 10:48 am Post subject: |
|
|
coalms,
You need to define your threats at the outset, so you know what you want to harden against.
e.g. Full disk encryption on a physically secure system is probably wasted. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Goverp Advocate
Joined: 07 Mar 2007 Posts: 2009
|
Posted: Tue Dec 05, 2023 12:47 pm Post subject: |
|
|
Is Xorg the right question? The world seems to think Wayland is the answer to everything. _________________ Greybeard |
|
Back to top |
|
|
spare n00b
Joined: 13 Nov 2023 Posts: 3
|
Posted: Tue Dec 05, 2023 1:43 pm Post subject: |
|
|
targetted attacks you want to look like everyone else if they burn an o day everyone dies
watering hole attacks you want to be as special a snow flake as possible
only write malware to target the largest % of users with the lowest common denominator to increase return
imo 3d libraries arent less complicated to get right than 2d |
|
Back to top |
|
|
|