[Bug 3695] New: X11 forwarding via UNIX socket instead of 127.0.0.1

Thu, 30 May 2024 09:55:25 -0700 

https://bugzilla.mindrot.org/show_bug.cgi?id=3695

            Bug ID: 3695
           Summary: X11 forwarding via UNIX socket instead of 127.0.0.1
           Product: Portable OpenSSH
           Version: 9.7p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-b...@mindrot.org
          Reporter: kolafl...@kolahilft.de

With "-X" SSH forwards X11 by listening to a TCP port on the server's
localhost IP. Usually TCP 127.0.0.1:6010 for the first client.

127.0.0.1 isn't highly secure. Other users on the same host can connect
to it. And even JavaScript code from arbitrary websites running in a
local web browser can do certain connections to localhost.
https://developer.chrome.com/blog/private-network-access-update?hl=en
https://utcc.utoronto.ca/~cks/space/blog/web/ChromePrivateNetBlocks
https://bugzilla.mozilla.org/show_bug.cgi?id=354493
(with some luck the web browsers close that door in the next couple of
years...)

For X11 there is some authentication via the ~/.Xauthority file. But
I'm wondering why a UNIX socket is not being used instead. Locally X11
usually connects via a UNIX socket /tmp/.X11-unix/X0 which is properly
protected by file permissions. So really only the user himself can
connect to it. I'd guess that's much more secure than relying on
.Xauthority protecting the TCP socket.

---> So why not use a UNIX socket for X11 forwarding?



P.S.

I don't have much experience with Wayland. But it looks like Waypipe is
also using UNIX sockets for Wayland forwarding.
https://gitlab.freedesktop.org/mstoeckl/waypipe
https://mstoeckl.com/notes/gsoc/blog.html

You can manually try this out:
  ssh -R /tmp/.X11-unix/X1:/tmp/.X11-unix/X0 USER@HOST
  DISPLAY=:1 xterm
  rm -Iv /tmp/.X11-unix/X1
You have to manually remove /tmp/.X11-unix/X1 afterwards, because SSH
doesn't to that and won't create a new socket file on the next
connection if the old one still exists. There's a switch
StreamLocalBindUnlink=yes but it only works for forwarding the other
way around with -L instead of -R.
QUESTION:
Could this be fixed too? It's quite annoying to delete the socket file
manually. Or is there a certain reason why this must not be removed
automatically?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

Reply via email to