Is 'xhost local' (no colon) allowing malicious access?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities. I used the xhost command for this as follows, but mistakenly leaving off the colon suffix seems to have allowed access to the remote server lb.usemaxserver.de...



 nonroot@host2:~ xhost -
access control enabled, only authorized clients can connect
 nonroot@host2:~ xhost local
local being added to access control list
 nonroot@host2:~ xhost
access control enabled, only authorized clients can connect
INET:lb.usemaxserver.de
INET:localhost


I've used the following to remove it...



 nonroot@host2:~ xhost -INET:lb.usemaxserver.de
lb.usemaxserver.de being removed from access control list


Am I interpreting this correctly?



If so, how did lb.usemaxserver.de setup something so that local links to that addess?



Does this require there to be some malicious configuration or software already on my system? If so, any suggestions for where to look?






networking security x xhost







share|improve this question























  • A better way is to use MIT-auth cookies. Figure out where the X server you start gets his cookies from, and give this cookie to root, with xauth or other methods.
    – dirkt
    Sep 28 at 6:12














up vote
1
down vote

favorite












I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities. I used the xhost command for this as follows, but mistakenly leaving off the colon suffix seems to have allowed access to the remote server lb.usemaxserver.de...



 nonroot@host2:~ xhost -
access control enabled, only authorized clients can connect
 nonroot@host2:~ xhost local
local being added to access control list
 nonroot@host2:~ xhost
access control enabled, only authorized clients can connect
INET:lb.usemaxserver.de
INET:localhost


I've used the following to remove it...



 nonroot@host2:~ xhost -INET:lb.usemaxserver.de
lb.usemaxserver.de being removed from access control list


Am I interpreting this correctly?



If so, how did lb.usemaxserver.de setup something so that local links to that addess?



Does this require there to be some malicious configuration or software already on my system? If so, any suggestions for where to look?






networking security x xhost







share|improve this question























  • A better way is to use MIT-auth cookies. Figure out where the X server you start gets his cookies from, and give this cookie to root, with xauth or other methods.
    – dirkt
    Sep 28 at 6:12












up vote
1
down vote

favorite









up vote
1
down vote

favorite











I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities. I used the xhost command for this as follows, but mistakenly leaving off the colon suffix seems to have allowed access to the remote server lb.usemaxserver.de...



 nonroot@host2:~ xhost -
access control enabled, only authorized clients can connect
 nonroot@host2:~ xhost local
local being added to access control list
 nonroot@host2:~ xhost
access control enabled, only authorized clients can connect
INET:lb.usemaxserver.de
INET:localhost


I've used the following to remove it...



 nonroot@host2:~ xhost -INET:lb.usemaxserver.de
lb.usemaxserver.de being removed from access control list


Am I interpreting this correctly?



If so, how did lb.usemaxserver.de setup something so that local links to that addess?



Does this require there to be some malicious configuration or software already on my system? If so, any suggestions for where to look?






networking security x xhost







share|improve this question















I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities. I used the xhost command for this as follows, but mistakenly leaving off the colon suffix seems to have allowed access to the remote server lb.usemaxserver.de...



 nonroot@host2:~ xhost -
access control enabled, only authorized clients can connect
 nonroot@host2:~ xhost local
local being added to access control list
 nonroot@host2:~ xhost
access control enabled, only authorized clients can connect
INET:lb.usemaxserver.de
INET:localhost


I've used the following to remove it...



 nonroot@host2:~ xhost -INET:lb.usemaxserver.de
lb.usemaxserver.de being removed from access control list


Am I interpreting this correctly?



If so, how did lb.usemaxserver.de setup something so that local links to that addess?



Does this require there to be some malicious configuration or software already on my system? If so, any suggestions for where to look?






networking security x xhost




networking security x xhost






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 28 at 2:17









Rui F Ribeiro

36.9k1273117




36.9k1273117










asked Sep 27 at 23:14









DocSalvager

1,27521532




1,27521532











  • A better way is to use MIT-auth cookies. Figure out where the X server you start gets his cookies from, and give this cookie to root, with xauth or other methods.
    – dirkt
    Sep 28 at 6:12
















  • A better way is to use MIT-auth cookies. Figure out where the X server you start gets his cookies from, and give this cookie to root, with xauth or other methods.
    – dirkt
    Sep 28 at 6:12















A better way is to use MIT-auth cookies. Figure out where the X server you start gets his cookies from, and give this cookie to root, with xauth or other methods.
– dirkt
Sep 28 at 6:12




A better way is to use MIT-auth cookies. Figure out where the X server you start gets his cookies from, and give this cookie to root, with xauth or other methods.
– dirkt
Sep 28 at 6:12










1 Answer
1






active

oldest

votes

















up vote
2
down vote



accepted











I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities.




It sounds like you want xhost +si:localuser:root. (This is not available on all X implementations. man Xsecurity also says that it is not entirely effective on some implementations. But it seems better than +local:)



Also, your X server was probably not directly accessible from the network anyway. E.g. see How can I connect to a remote X server _without_ ssh?




I used the xhost command for this as follows, but ... seems to have allowed access to the remote server lb.usemaxserver.de




xhost +local looks up the hostname local, so it depends what you have in your DNS search path etc.



$ xhost +local
xhost: bad hostname "local"
$ dig local
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
...


It sounds like your system resolves local, to a couple of different hosts. Compare:



$ xhost +smtp.gmail.com
smtp.gmail.com being added to access control list
$ xhost
access control enabled, only authorized clients can connect
INET6:wr-in-x6d.1e100.net
INET:wr-in-f108.1e100.net
INET:wr-in-f109.1e100.net
SI:localuser:alan
$ dig smtp.gmail.com
...
smtp.gmail.com. 104 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.108
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.109
...
$ dig AAAA smtp.gmail.com
smtp.gmail.com. 170 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 271 IN AAAA 2a00:1450:400c:c0c::6c
$ dig -x 2a00:1450:400c:c0c::6c
c.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.c.0.c.0.0.4.0.5.4.1.0.0.a.2.ip6.arpa. 300 IN PTR wr-in-x6c.1e100.net.





share|improve this answer


















  • 1




    This works. Thanks. I've also determined that the "local = lb.usemaxserver.de" was due to entries in /etc/hosts. It's an antiX 17.1 distro that includes adblocking by zeroing out hundreds of addresses in that file and there were some erroneous entries.
    – DocSalvager
    Sep 28 at 8:07










  • @DocSalvager that's hilarious, thank you for the followup :-D.
    – sourcejedi
    Sep 28 at 10:25










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f471957%2fis-xhost-local-no-colon-allowing-malicious-access%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote



accepted











I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities.




It sounds like you want xhost +si:localuser:root. (This is not available on all X implementations. man Xsecurity also says that it is not entirely effective on some implementations. But it seems better than +local:)



Also, your X server was probably not directly accessible from the network anyway. E.g. see How can I connect to a remote X server _without_ ssh?




I used the xhost command for this as follows, but ... seems to have allowed access to the remote server lb.usemaxserver.de




xhost +local looks up the hostname local, so it depends what you have in your DNS search path etc.



$ xhost +local
xhost: bad hostname "local"
$ dig local
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
...


It sounds like your system resolves local, to a couple of different hosts. Compare:



$ xhost +smtp.gmail.com
smtp.gmail.com being added to access control list
$ xhost
access control enabled, only authorized clients can connect
INET6:wr-in-x6d.1e100.net
INET:wr-in-f108.1e100.net
INET:wr-in-f109.1e100.net
SI:localuser:alan
$ dig smtp.gmail.com
...
smtp.gmail.com. 104 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.108
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.109
...
$ dig AAAA smtp.gmail.com
smtp.gmail.com. 170 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 271 IN AAAA 2a00:1450:400c:c0c::6c
$ dig -x 2a00:1450:400c:c0c::6c
c.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.c.0.c.0.0.4.0.5.4.1.0.0.a.2.ip6.arpa. 300 IN PTR wr-in-x6c.1e100.net.





share|improve this answer


















  • 1




    This works. Thanks. I've also determined that the "local = lb.usemaxserver.de" was due to entries in /etc/hosts. It's an antiX 17.1 distro that includes adblocking by zeroing out hundreds of addresses in that file and there were some erroneous entries.
    – DocSalvager
    Sep 28 at 8:07










  • @DocSalvager that's hilarious, thank you for the followup :-D.
    – sourcejedi
    Sep 28 at 10:25














up vote
2
down vote



accepted











I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities.




It sounds like you want xhost +si:localuser:root. (This is not available on all X implementations. man Xsecurity also says that it is not entirely effective on some implementations. But it seems better than +local:)



Also, your X server was probably not directly accessible from the network anyway. E.g. see How can I connect to a remote X server _without_ ssh?




I used the xhost command for this as follows, but ... seems to have allowed access to the remote server lb.usemaxserver.de




xhost +local looks up the hostname local, so it depends what you have in your DNS search path etc.



$ xhost +local
xhost: bad hostname "local"
$ dig local
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
...


It sounds like your system resolves local, to a couple of different hosts. Compare:



$ xhost +smtp.gmail.com
smtp.gmail.com being added to access control list
$ xhost
access control enabled, only authorized clients can connect
INET6:wr-in-x6d.1e100.net
INET:wr-in-f108.1e100.net
INET:wr-in-f109.1e100.net
SI:localuser:alan
$ dig smtp.gmail.com
...
smtp.gmail.com. 104 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.108
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.109
...
$ dig AAAA smtp.gmail.com
smtp.gmail.com. 170 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 271 IN AAAA 2a00:1450:400c:c0c::6c
$ dig -x 2a00:1450:400c:c0c::6c
c.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.c.0.c.0.0.4.0.5.4.1.0.0.a.2.ip6.arpa. 300 IN PTR wr-in-x6c.1e100.net.





share|improve this answer


















  • 1




    This works. Thanks. I've also determined that the "local = lb.usemaxserver.de" was due to entries in /etc/hosts. It's an antiX 17.1 distro that includes adblocking by zeroing out hundreds of addresses in that file and there were some erroneous entries.
    – DocSalvager
    Sep 28 at 8:07










  • @DocSalvager that's hilarious, thank you for the followup :-D.
    – sourcejedi
    Sep 28 at 10:25












up vote
2
down vote



accepted







up vote
2
down vote



accepted







I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities.




It sounds like you want xhost +si:localuser:root. (This is not available on all X implementations. man Xsecurity also says that it is not entirely effective on some implementations. But it seems better than +local:)



Also, your X server was probably not directly accessible from the network anyway. E.g. see How can I connect to a remote X server _without_ ssh?




I used the xhost command for this as follows, but ... seems to have allowed access to the remote server lb.usemaxserver.de




xhost +local looks up the hostname local, so it depends what you have in your DNS search path etc.



$ xhost +local
xhost: bad hostname "local"
$ dig local
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
...


It sounds like your system resolves local, to a couple of different hosts. Compare:



$ xhost +smtp.gmail.com
smtp.gmail.com being added to access control list
$ xhost
access control enabled, only authorized clients can connect
INET6:wr-in-x6d.1e100.net
INET:wr-in-f108.1e100.net
INET:wr-in-f109.1e100.net
SI:localuser:alan
$ dig smtp.gmail.com
...
smtp.gmail.com. 104 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.108
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.109
...
$ dig AAAA smtp.gmail.com
smtp.gmail.com. 170 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 271 IN AAAA 2a00:1450:400c:c0c::6c
$ dig -x 2a00:1450:400c:c0c::6c
c.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.c.0.c.0.0.4.0.5.4.1.0.0.a.2.ip6.arpa. 300 IN PTR wr-in-x6c.1e100.net.





share|improve this answer















I'm setting up a new system and need to grant the root user authority to access the nonroot user's X display in order to run GUI utilities.




It sounds like you want xhost +si:localuser:root. (This is not available on all X implementations. man Xsecurity also says that it is not entirely effective on some implementations. But it seems better than +local:)



Also, your X server was probably not directly accessible from the network anyway. E.g. see How can I connect to a remote X server _without_ ssh?




I used the xhost command for this as follows, but ... seems to have allowed access to the remote server lb.usemaxserver.de




xhost +local looks up the hostname local, so it depends what you have in your DNS search path etc.



$ xhost +local
xhost: bad hostname "local"
$ dig local
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
...


It sounds like your system resolves local, to a couple of different hosts. Compare:



$ xhost +smtp.gmail.com
smtp.gmail.com being added to access control list
$ xhost
access control enabled, only authorized clients can connect
INET6:wr-in-x6d.1e100.net
INET:wr-in-f108.1e100.net
INET:wr-in-f109.1e100.net
SI:localuser:alan
$ dig smtp.gmail.com
...
smtp.gmail.com. 104 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.108
gmail-smtp-msa.l.google.com. 104 IN A 108.177.15.109
...
$ dig AAAA smtp.gmail.com
smtp.gmail.com. 170 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 271 IN AAAA 2a00:1450:400c:c0c::6c
$ dig -x 2a00:1450:400c:c0c::6c
c.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.c.0.c.0.0.4.0.5.4.1.0.0.a.2.ip6.arpa. 300 IN PTR wr-in-x6c.1e100.net.






share|improve this answer














share|improve this answer



share|improve this answer








edited Sep 28 at 10:40

























answered Sep 27 at 23:21









sourcejedi

20.5k42888




20.5k42888







  • 1




    This works. Thanks. I've also determined that the "local = lb.usemaxserver.de" was due to entries in /etc/hosts. It's an antiX 17.1 distro that includes adblocking by zeroing out hundreds of addresses in that file and there were some erroneous entries.
    – DocSalvager
    Sep 28 at 8:07










  • @DocSalvager that's hilarious, thank you for the followup :-D.
    – sourcejedi
    Sep 28 at 10:25












  • 1




    This works. Thanks. I've also determined that the "local = lb.usemaxserver.de" was due to entries in /etc/hosts. It's an antiX 17.1 distro that includes adblocking by zeroing out hundreds of addresses in that file and there were some erroneous entries.
    – DocSalvager
    Sep 28 at 8:07










  • @DocSalvager that's hilarious, thank you for the followup :-D.
    – sourcejedi
    Sep 28 at 10:25







1




1




This works. Thanks. I've also determined that the "local = lb.usemaxserver.de" was due to entries in /etc/hosts. It's an antiX 17.1 distro that includes adblocking by zeroing out hundreds of addresses in that file and there were some erroneous entries.
– DocSalvager
Sep 28 at 8:07




This works. Thanks. I've also determined that the "local = lb.usemaxserver.de" was due to entries in /etc/hosts. It's an antiX 17.1 distro that includes adblocking by zeroing out hundreds of addresses in that file and there were some erroneous entries.
– DocSalvager
Sep 28 at 8:07












@DocSalvager that's hilarious, thank you for the followup :-D.
– sourcejedi
Sep 28 at 10:25




@DocSalvager that's hilarious, thank you for the followup :-D.
– sourcejedi
Sep 28 at 10:25

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f471957%2fis-xhost-local-no-colon-allowing-malicious-access%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

How to check contact read email or not when send email to Individual?

Image
Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
Read more

Bahrain

Image
For other uses, see Bahrain (disambiguation). Sovereign island state in the Persian Gulf Kingdom of Bahrain مملكة البحرين   (Arabic) Mamlakat al-Baḥrayn Flag Coat of arms Anthem:  نشيد البحرين الوطني Bahrainona Our Bahrain Location of   Bahrain    (circled in red) Capital and largest city Manama 26°13′N 50°35′E  /  26.217°N 50.583°E  / 26.217; 50.583 Official languages Arabic Ethnic groups (2010 [1] ) 50.7% Arab (46% Bahrani, 4.7% other Arabs) 45.5% Asian 1% European 1.2% Others Religion Islam Demonym(s) Bahraini Government Unitary constitutional monarchy • King Hamad bin Isa Al Khalifa • Crown Prince Salman bin Hamad bin Isa Al Khalifa • Prime Minister Khalifa bin Salman Al Khalifa Legislature National Assembly • Upper house Consultative Council • Lower house Council of Representatives Independence • Declared Independence [2] 14 August 1971 • from United Kingdom [1] 15 August 1971 • Admitted to the United Nations 21 September 1971 • Kingdom of Bahrain 14 February 2002
Read more

Postfix configuration issue with fips on centos 7; mailgun relay

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine. I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing? Any help would be appreciated! postconf -n: alias_database = hash:/etc/alia
Read more