making X secure?
Jan Bramkamp
crest at rlwinm.de
Mon Aug 29 08:51:17 UTC 2016
On 28/08/16 14:30, Jules Gilbert via freebsd-x11 wrote:
> Is this possible?, can X be made secure??
>
> I need X for the Mozilla application family. Are those weak from a
> security perspective?
>
> At the moment I'm doing other stuff and (this may be a foolish
> thought...,) would accept a quick fix. Probably a really bad idea, I
> know. But someone who's apparently good at this has hacked several
> releases of FreeBSD and OpenBSD. About OpenBSD, as soon as one adds
> (for me, necessary,) applications, it's not as advertised.
>
> Okay, one more time. Can X be made secure?
X.org has an enormous attack surface and compromising the X11 server can
allow you to capture all user input (including passwords). You can run a
nested X11 server to reduce the attack surface and gain some defense in
depth. You can also run Firefox and/or Thunderbird in a jail. The next
step would probably be shipping audit records to a remote system with
auditdistd. You can further lock down the jail with MAC modules if you
like to play a few rounds of whack a mole with your applications.
More information about the freebsd-x11
mailing list