AIX X11: How to create and share .Xauthority for an X Virtual Frame Buffer Xserver

How To

Summary

How to start a Virtual Frame Buffer Xserver, then use, and share xauth authentication keys.

Objective

Some database applications use the Xserver Virtual Frame Buffer (Xvfb) for interim rendering of forms. Some administrators might use xhost to grant access to users. As noted in "How do I start an X Virtual Frame Buffer (VFB) with the Motif Window Manager (MWM) from inittab?", using xhost to grant access to other users and clients is not secure.

Many security scanners detect this configuration and sent alerts about CVE-1999-0526 (CERT-VN:VU#704969)

The CERT documentation explains:

For convenience, many X Window System emulators are configured to allow any remote X client to open windows on the X server. On command-line based systems the equivalent configuration is generated by executing "xhost +". This configuration is insecure because attackers might be able to connect to the X server and monitor keystrokes or inject commands into X Window System sessions.

The solution is to use the Xauthority facility. The steps to enable xauth for XVFB are described in this document.

Steps

1) As root, start a VFB Xserver on display :100

# X -vfb -auth ~/.Xauthority :100 &

2) Generate the MIT-MAGIC-COOKIE-1 key for the Xserver running on :100

root:# xauth generate :100 . 1356-364 xauth: creating new authority file /.Xauthority

3) As userA, test a connection to the :100 Xserver

userA:$ export DISPLAY=:100 userA:$ xauth list 1356-364 xauth: creating new authority file /home/userA/.Xauthority

**There are no authentication cookies yet.

userA:$ xhost Xlib: connection to ":100.0" refused by server Xlib: Client is not authorized to connect to Server 1356-200 xhost unable to open display ":100"

4) As root, share the authorization key with userA

root:# xauth extract - :100 \| su - userA -c "xauth merge -" 1356-364 xauth: creating new authority file /home/userA/.Xauthority

5) As userA, test the updated /home/userA/.Xauthority

userA:$ xauth list my.hostname.com/unix:100 MIT-MAGIC-COOKIE-1 78170c415079594407083a584c424e68 userA:$ xhost access control enabled, only authorized clients can connect

RESULT: userA can open the :100 DISPLAY

Additional Information

SUPPORT
If you require more assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract. 1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: https://www.ibm.com/mysupport -If you require telephone support, see the web page: https://www.ibm.com/planetwide/ 4. Provide a clear, concise description of the issue. - For more information, see: Working with IBM AIX Support: Describing the problem. 5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For more information, see: Working with IBM AIX Support: Collecting snap data

Related Information

IBM Support Community

Learn more about "Getting IBM Support" here

How do I start an X Virtual Frame Buffer (VFB) with the Motif Window Manager

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cw2mAAA","label":"Desktop-\u003EX11 Clients"},{"code":"a8m0z000000cw2uAAA","label":"Desktop-\u003EXserver"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]

Product Synonym

xvfb;vfb;xauth;Xauthority

Was this topic helpful?

Document Information

Modified date:
07 December 2022

UID

ibm16846152

Tips