How do you harden Xorg if you do so?

Message

coalms · Post by **coalms** » Mon Dec 04, 2023 8:01 am

I have seen useflags for xorg-server being notably xcsecurity and suid, I have no idea what xcsecurity so it is disabled is and I am not sure about suid viability either, you would argue some programs are safer with a sticky bit but others are not in which case I haven't enabled it

no idea if any hardening is possible on xorg.conf other then modesetting drivers

-extension is something I have used as match as I can, since less is always more in securing except +extension SELINUX ofc
-nolisten as far as I know works only with tcp, every other protocol at least in /etc/protocols is probably not compiled in xorg
-pn and -nopn as far as I understand is for "error handling"
-query, -broadcast, -cookie is a probability , sending /dev/random to it probably so no one can guess the xdcmp pass, about that xdmcp, I do not know if this is always on or opt in feature and I do not know how to "disable" it for sure. thoughts?

gorg86 · Post by **gorg86** » Mon Dec 04, 2023 8:15 pm

Maybe OT, but I noticed this here years ago viewtopic-t-1071044-highlight-.html
I disabled it.

coalms · Post by **coalms** » Tue Dec 05, 2023 1:30 am

gorg86 wrote:but I noticed this here years ago viewtopic-t-1071044-highlight-.html
I disabled it.

brilliant thank you, I wonder why this is not the default, it being commented out with a second comment saying why and what it does, or a man entry or something ;/, nevertheless what is "OT"?

gorg86 · Post by **gorg86** » Tue Dec 05, 2023 2:51 am

OT = off topic, because your question is network related.

coalms · Post by **coalms** » Tue Dec 05, 2023 8:11 am

gorg86 wrote:OT = off topic, because your question is network related.

oh nana you misunderstand, I am looking for hardening in any way, its just the network attack vector is more popular on xorg-server so i focused on that

spare · Post by **spare** » Tue Dec 05, 2023 10:07 am

https://github.com/jjiolo/gentoo < - backup of a load of build scripts...
config/etc/self/b.init/system.dev
config/usr/bin/startx
config/etc/xinitrc
config/etc/self/c.server/x.<user>
config/etc/self/c.server/x.<user>
are current best effort to priv drop Xorg without systemd.

tl;dr
chown -R root:desktop /dev/input /dev/dri /dev/tty7
priv drops xorg-server to uid desktop
holds it open with exec sleep inifinite in /etc/xinitrc
then starts dwm on the priv dropped xorg server as the running user
Xephyr scripts do exactly the same thing to isolate uid:gid contexts

been running it for a while now seems to actually work ?
fairly sure if you overflow the keyboard input queue
then move the mouse to another Xephyr window
it injects keystrokes into that uid: context : /

Post by **NeddySeagoon** » Tue Dec 05, 2023 10:48 am

coalms,

You need to define your threats at the outset, so you know what you want to harden against.
e.g. Full disk encryption on a physically secure system is probably wasted.

Goverp · Post by **Goverp** » Tue Dec 05, 2023 12:47 pm

Is Xorg the right question? The world seems to think Wayland is the answer to everything.

spare · Post by **spare** » Tue Dec 05, 2023 1:43 pm

targetted attacks you want to look like everyone else if they burn an o day everyone dies
watering hole attacks you want to be as special a snow flake as possible
only write malware to target the largest % of users with the lowest common denominator to increase return
imo 3d libraries arent less complicated to get right than 2d