Tell me more ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems.. It's 100% free, no registration required.
up vote 7 down vote favorite

OpenBSD's man page afterboot(8) suggests: "You might wish to tighten up security more by editing /etc/fbtab as when installing X."

How might one do this? What lines when added to /etc/fbtab would help to secure X Windows?

share|improve this question
1  
man fbtab - will tell you the details about temporarily assigning ownership of devices based on login ttys. On my laptop, X11 gets the ttyC5. So, I can control the device ownership based on that. I don't know how useful this is though because we already have matchdep.allowaperture = 1 setting in /etc/sysctl.conf using which we can assign more privileges to Xorg. – Salil Oct 21 '12 at 0:44

1 Answer

up vote 1 down vote

Let's assume the X11 is /dev/ttyC5 as suggested by Salil.

Example 1: Web server and desktop environment on the same machine

Let's also assume that you are running a web server on with sensitive data (owner is user 'www') in it and your desktop user has permission to work (read, write, execute) in that directory.

But for everything you intend to do on the desktop like mailing, listening to music, messaging or browsing has nothing to do with these files. Now GUIs want to make everything simpler, faster and overall more comfortable, so a misclick in Nautilus, Konqueror or some other file manager can accidentally delete a file, a misclick might even send data as an email attachment over the internet, you could accidentally share a file over the network etc. - all these dangers are one click away in graphical desktop environment whereas on the command line you would issue a command name with the fitting arguments for the same effect.

You could now use /etc/fbtab to let login tell chmod to make that directory readonly for the owner, so none of your desktop users can accidentally delete anything, even though they are permitted to work in that directory when using the command line and only the owner 'www' (which should not have desktop access anyway) can read it:

/dev/ttyC5 0400 /home/user/apache13/www/

Example 2: Sensitive data for a local project only

Let's assume that you are working on a project with colleagues, who all have permission to log into your X11 desktop with their accounts. But they are supposed to only have access to the directory with your project in it via X11, because they are not very experienced with the command line and might unintentionally do something wrong, so you have the permissions very restrictive for that directory.

This entry changes it to rwx rwx r-x for X11:

/dev/ttyC5 0775 /www/groupproject

Example 3: USB and floppy storage as backup disks

You want to restrict access to usb storage on /dev/wd0 and /dev/wd1 as well as floppy disks on /dev/fd0, because they are used for backup only.

/dev/ttyC5 0400 /dev/wd0:/dev/wd1:/dev/fd0
share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.