Is 'xhost local' (no colon) allowing malicious access?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities. I used the xhost command for this as follows, but mistakenly leaving off the colon suffix seems to have allowed access to the remote server lb.usemaxserver.de...



 nonroot@host2:~ xhost -
access control enabled, only authorized clients can connect
 nonroot@host2:~ xhost local
local being added to access control list
 nonroot@host2:~ xhost
access control enabled, only authorized clients can connect
INET:lb.usemaxserver.de
INET:localhost


I've used the following to remove it...



 nonroot@host2:~ xhost -INET:lb.usemaxserver.de
lb.usemaxserver.de being removed from access control list


Am I interpreting this correctly?



If so, how did lb.usemaxserver.de setup something so that local links to that addess?



Does this require there to be some malicious configuration or software already on my system? If so, any suggestions for where to look?






networking security x xhost







share|improve this question























  • A better way is to use MIT-auth cookies. Figure out where the X server you start gets his cookies from, and give this cookie to root, with xauth or other methods.
    – dirkt
    Sep 28 at 6:12














up vote
1
down vote

favorite












I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities. I used the xhost command for this as follows, but mistakenly leaving off the colon suffix seems to have allowed access to the remote server lb.usemaxserver.de...



 nonroot@host2:~ xhost -
access control enabled, only authorized clients can connect
 nonroot@host2:~ xhost local
local being added to access control list
 nonroot@host2:~ xhost
access control enabled, only authorized clients can connect
INET:lb.usemaxserver.de
INET:localhost


I've used the following to remove it...



 nonroot@host2:~ xhost -INET:lb.usemaxserver.de
lb.usemaxserver.de being removed from access control list


Am I interpreting this correctly?



If so, how did lb.usemaxserver.de setup something so that local links to that addess?



Does this require there to be some malicious configuration or software already on my system? If so, any suggestions for where to look?






networking security x xhost







share|improve this question























  • A better way is to use MIT-auth cookies. Figure out where the X server you start gets his cookies from, and give this cookie to root, with xauth or other methods.
    – dirkt
    Sep 28 at 6:12












up vote
1
down vote

favorite









up vote
1
down vote

favorite











I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities. I used the xhost command for this as follows, but mistakenly leaving off the colon suffix seems to have allowed access to the remote server lb.usemaxserver.de...



 nonroot@host2:~ xhost -
access control enabled, only authorized clients can connect
 nonroot@host2:~ xhost local
local being added to access control list
 nonroot@host2:~ xhost
access control enabled, only authorized clients can connect
INET:lb.usemaxserver.de
INET:localhost


I've used the following to remove it...



 nonroot@host2:~ xhost -INET:lb.usemaxserver.de
lb.usemaxserver.de being removed from access control list


Am I interpreting this correctly?



If so, how did lb.usemaxserver.de setup something so that local links to that addess?



Does this require there to be some malicious configuration or software already on my system? If so, any suggestions for where to look?






networking security x xhost







share|improve this question















I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities. I used the xhost command for this as follows, but mistakenly leaving off the colon suffix seems to have allowed access to the remote server lb.usemaxserver.de...



 nonroot@host2:~ xhost -
access control enabled, only authorized clients can connect
 nonroot@host2:~ xhost local
local being added to access control list
 nonroot@host2:~ xhost
access control enabled, only authorized clients can connect
INET:lb.usemaxserver.de
INET:localhost


I've used the following to remove it...



 nonroot@host2:~ xhost -INET:lb.usemaxserver.de
lb.usemaxserver.de being removed from access control list


Am I interpreting this correctly?



If so, how did lb.usemaxserver.de setup something so that local links to that addess?



Does this require there to be some malicious configuration or software already on my system? If so, any suggestions for where to look?






networking security x xhost




networking security x xhost






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 28 at 2:17









Rui F Ribeiro

36.9k1273117




36.9k1273117










asked Sep 27 at 23:14









DocSalvager

1,27521532




1,27521532











  • A better way is to use MIT-auth cookies. Figure out where the X server you start gets his cookies from, and give this cookie to root, with xauth or other methods.
    – dirkt
    Sep 28 at 6:12
















  • A better way is to use MIT-auth cookies. Figure out where the X server you start gets his cookies from, and give this cookie to root, with xauth or other methods.
    – dirkt
    Sep 28 at 6:12















A better way is to use MIT-auth cookies. Figure out where the X server you start gets his cookies from, and give this cookie to root, with xauth or other methods.
– dirkt
Sep 28 at 6:12




A better way is to use MIT-auth cookies. Figure out where the X server you start gets his cookies from, and give this cookie to root, with xauth or other methods.
– dirkt
Sep 28 at 6:12










1 Answer
1






active

oldest

votes

















up vote
2
down vote



accepted











I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities.




It sounds like you want xhost +si:localuser:root. (This is not available on all X implementations. man Xsecurity also says that it is not entirely effective on some implementations. But it seems better than +local:)



Also, your X server was probably not directly accessible from the network anyway. E.g. see How can I connect to a remote X server _without_ ssh?




I used the xhost command for this as follows, but ... seems to have allowed access to the remote server lb.usemaxserver.de




xhost +local looks up the hostname local, so it depends what you have in your DNS search path etc.



$ xhost +local
xhost: bad hostname "local"
$ dig local
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
...


It sounds like your system resolves local, to a couple of different hosts. Compare:



$ xhost +smtp.gmail.com
smtp.gmail.com being added to access control list
$ xhost
access control enabled, only authorized clients can connect
INET6:wr-in-x6d.1e100.net
INET:wr-in-f108.1e100.net
INET:wr-in-f109.1e100.net
SI:localuser:alan
$ dig smtp.gmail.com
...
smtp.gmail.com. 104 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.108
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.109
...
$ dig AAAA smtp.gmail.com
smtp.gmail.com. 170 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 271 IN AAAA 2a00:1450:400c:c0c::6c
$ dig -x 2a00:1450:400c:c0c::6c
c.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.c.0.c.0.0.4.0.5.4.1.0.0.a.2.ip6.arpa. 300 IN PTR wr-in-x6c.1e100.net.





share|improve this answer


















  • 1




    This works. Thanks. I've also determined that the "local = lb.usemaxserver.de" was due to entries in /etc/hosts. It's an antiX 17.1 distro that includes adblocking by zeroing out hundreds of addresses in that file and there were some erroneous entries.
    – DocSalvager
    Sep 28 at 8:07










  • @DocSalvager that's hilarious, thank you for the followup :-D.
    – sourcejedi
    Sep 28 at 10:25










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f471957%2fis-xhost-local-no-colon-allowing-malicious-access%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote



accepted











I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities.




It sounds like you want xhost +si:localuser:root. (This is not available on all X implementations. man Xsecurity also says that it is not entirely effective on some implementations. But it seems better than +local:)



Also, your X server was probably not directly accessible from the network anyway. E.g. see How can I connect to a remote X server _without_ ssh?




I used the xhost command for this as follows, but ... seems to have allowed access to the remote server lb.usemaxserver.de




xhost +local looks up the hostname local, so it depends what you have in your DNS search path etc.



$ xhost +local
xhost: bad hostname "local"
$ dig local
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
...


It sounds like your system resolves local, to a couple of different hosts. Compare:



$ xhost +smtp.gmail.com
smtp.gmail.com being added to access control list
$ xhost
access control enabled, only authorized clients can connect
INET6:wr-in-x6d.1e100.net
INET:wr-in-f108.1e100.net
INET:wr-in-f109.1e100.net
SI:localuser:alan
$ dig smtp.gmail.com
...
smtp.gmail.com. 104 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.108
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.109
...
$ dig AAAA smtp.gmail.com
smtp.gmail.com. 170 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 271 IN AAAA 2a00:1450:400c:c0c::6c
$ dig -x 2a00:1450:400c:c0c::6c
c.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.c.0.c.0.0.4.0.5.4.1.0.0.a.2.ip6.arpa. 300 IN PTR wr-in-x6c.1e100.net.





share|improve this answer


















  • 1




    This works. Thanks. I've also determined that the "local = lb.usemaxserver.de" was due to entries in /etc/hosts. It's an antiX 17.1 distro that includes adblocking by zeroing out hundreds of addresses in that file and there were some erroneous entries.
    – DocSalvager
    Sep 28 at 8:07










  • @DocSalvager that's hilarious, thank you for the followup :-D.
    – sourcejedi
    Sep 28 at 10:25














up vote
2
down vote



accepted











I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities.




It sounds like you want xhost +si:localuser:root. (This is not available on all X implementations. man Xsecurity also says that it is not entirely effective on some implementations. But it seems better than +local:)



Also, your X server was probably not directly accessible from the network anyway. E.g. see How can I connect to a remote X server _without_ ssh?




I used the xhost command for this as follows, but ... seems to have allowed access to the remote server lb.usemaxserver.de




xhost +local looks up the hostname local, so it depends what you have in your DNS search path etc.



$ xhost +local
xhost: bad hostname "local"
$ dig local
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
...


It sounds like your system resolves local, to a couple of different hosts. Compare:



$ xhost +smtp.gmail.com
smtp.gmail.com being added to access control list
$ xhost
access control enabled, only authorized clients can connect
INET6:wr-in-x6d.1e100.net
INET:wr-in-f108.1e100.net
INET:wr-in-f109.1e100.net
SI:localuser:alan
$ dig smtp.gmail.com
...
smtp.gmail.com. 104 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.108
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.109
...
$ dig AAAA smtp.gmail.com
smtp.gmail.com. 170 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 271 IN AAAA 2a00:1450:400c:c0c::6c
$ dig -x 2a00:1450:400c:c0c::6c
c.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.c.0.c.0.0.4.0.5.4.1.0.0.a.2.ip6.arpa. 300 IN PTR wr-in-x6c.1e100.net.





share|improve this answer


















  • 1




    This works. Thanks. I've also determined that the "local = lb.usemaxserver.de" was due to entries in /etc/hosts. It's an antiX 17.1 distro that includes adblocking by zeroing out hundreds of addresses in that file and there were some erroneous entries.
    – DocSalvager
    Sep 28 at 8:07










  • @DocSalvager that's hilarious, thank you for the followup :-D.
    – sourcejedi
    Sep 28 at 10:25












up vote
2
down vote



accepted







up vote
2
down vote



accepted







I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities.




It sounds like you want xhost +si:localuser:root. (This is not available on all X implementations. man Xsecurity also says that it is not entirely effective on some implementations. But it seems better than +local:)



Also, your X server was probably not directly accessible from the network anyway. E.g. see How can I connect to a remote X server _without_ ssh?




I used the xhost command for this as follows, but ... seems to have allowed access to the remote server lb.usemaxserver.de




xhost +local looks up the hostname local, so it depends what you have in your DNS search path etc.



$ xhost +local
xhost: bad hostname "local"
$ dig local
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
...


It sounds like your system resolves local, to a couple of different hosts. Compare:



$ xhost +smtp.gmail.com
smtp.gmail.com being added to access control list
$ xhost
access control enabled, only authorized clients can connect
INET6:wr-in-x6d.1e100.net
INET:wr-in-f108.1e100.net
INET:wr-in-f109.1e100.net
SI:localuser:alan
$ dig smtp.gmail.com
...
smtp.gmail.com. 104 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.108
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.109
...
$ dig AAAA smtp.gmail.com
smtp.gmail.com. 170 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 271 IN AAAA 2a00:1450:400c:c0c::6c
$ dig -x 2a00:1450:400c:c0c::6c
c.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.c.0.c.0.0.4.0.5.4.1.0.0.a.2.ip6.arpa. 300 IN PTR wr-in-x6c.1e100.net.





share|improve this answer















I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities.




It sounds like you want xhost +si:localuser:root. (This is not available on all X implementations. man Xsecurity also says that it is not entirely effective on some implementations. But it seems better than +local:)



Also, your X server was probably not directly accessible from the network anyway. E.g. see How can I connect to a remote X server _without_ ssh?




I used the xhost command for this as follows, but ... seems to have allowed access to the remote server lb.usemaxserver.de




xhost +local looks up the hostname local, so it depends what you have in your DNS search path etc.



$ xhost +local
xhost: bad hostname "local"
$ dig local
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
...


It sounds like your system resolves local, to a couple of different hosts. Compare:



$ xhost +smtp.gmail.com
smtp.gmail.com being added to access control list
$ xhost
access control enabled, only authorized clients can connect
INET6:wr-in-x6d.1e100.net
INET:wr-in-f108.1e100.net
INET:wr-in-f109.1e100.net
SI:localuser:alan
$ dig smtp.gmail.com
...
smtp.gmail.com. 104 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.108
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.109
...
$ dig AAAA smtp.gmail.com
smtp.gmail.com. 170 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 271 IN AAAA 2a00:1450:400c:c0c::6c
$ dig -x 2a00:1450:400c:c0c::6c
c.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.c.0.c.0.0.4.0.5.4.1.0.0.a.2.ip6.arpa. 300 IN PTR wr-in-x6c.1e100.net.






share|improve this answer














share|improve this answer



share|improve this answer








edited Sep 28 at 10:40

























answered Sep 27 at 23:21









sourcejedi

20.5k42888




20.5k42888







  • 1




    This works. Thanks. I've also determined that the "local = lb.usemaxserver.de" was due to entries in /etc/hosts. It's an antiX 17.1 distro that includes adblocking by zeroing out hundreds of addresses in that file and there were some erroneous entries.
    – DocSalvager
    Sep 28 at 8:07










  • @DocSalvager that's hilarious, thank you for the followup :-D.
    – sourcejedi
    Sep 28 at 10:25












  • 1




    This works. Thanks. I've also determined that the "local = lb.usemaxserver.de" was due to entries in /etc/hosts. It's an antiX 17.1 distro that includes adblocking by zeroing out hundreds of addresses in that file and there were some erroneous entries.
    – DocSalvager
    Sep 28 at 8:07










  • @DocSalvager that's hilarious, thank you for the followup :-D.
    – sourcejedi
    Sep 28 at 10:25







1




1




This works. Thanks. I've also determined that the "local = lb.usemaxserver.de" was due to entries in /etc/hosts. It's an antiX 17.1 distro that includes adblocking by zeroing out hundreds of addresses in that file and there were some erroneous entries.
– DocSalvager
Sep 28 at 8:07




This works. Thanks. I've also determined that the "local = lb.usemaxserver.de" was due to entries in /etc/hosts. It's an antiX 17.1 distro that includes adblocking by zeroing out hundreds of addresses in that file and there were some erroneous entries.
– DocSalvager
Sep 28 at 8:07












@DocSalvager that's hilarious, thank you for the followup :-D.
– sourcejedi
Sep 28 at 10:25




@DocSalvager that's hilarious, thank you for the followup :-D.
– sourcejedi
Sep 28 at 10:25

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f471957%2fis-xhost-local-no-colon-allowing-malicious-access%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

How to check contact read email or not when send email to Individual?

Image
Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
Read more

Displaying single band from multi-band raster using QGIS

Image
Clash Royale CLAN TAG #URR8PPP 1 How can I extract a single band from multi-band raster in QGIS? I have an remote sensed image which has 6 bands (including NDVI band), I want to display each band separately, but have no idea how to do. I have seen some questions similar here but none worked for me. The original image (has 6 bands) is: I want to display the band 6 which should be like this: But I tried gdal_translate, and couldn't get the correct result. What I have got is: qgis raster multi-band share | improve this question edited Mar 5 at 0:53 Summer asked Mar 4 at 6:42 Summer Summer 23 6 Is this any help gis.stackexchange.com/questions/220658/… ? if not gis.stackexchange.com/questions/62133/… might help. – Michael Stimson Mar 4 at 6:46 Thanks for answering but when I used gdal_translate, qgis showed that 'Error 4: Kayena.tif: No such file or directory". Would you know how to fix it? –
Read more

How many registers does an x86_64 CPU actually have?

Image
Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite I am currently learning reverse engineering and am studying the flags register. I had in my mind that rflags was just another name for one of the 16 general purpose registers, for example rax or rbx . But it looks like rflags is actually an additional register. So that makes 17 registers in total... how many more could there be? I have spent at least an hour on this and found numerous different answers. The best answer so far is this, which says that there are 40 registers in total. 16 General Purpose Registers 2 Status Registers 6 Code Segment Registers 16 SSE Registers 8 FPU/MMX Registers But if I add that up, I get 48. Could anybody provide an official answer on how many registers an x86_64 CPU has (e.g. an Intel i7). Additionally, I have seen references to 'hardware' and 'architectural' registers. What are those registers and how many are there? register x86-64 share | improve this
Read more