[Bug 3695] New: X11 forwarding via UNIX socket instead of 127.0.0.1
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri May 31 02:54:40 AEST 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3695
Bug ID: 3695
Summary: X11 forwarding via UNIX socket instead of 127.0.0.1
Product: Portable OpenSSH
Version: 9.7p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: kolAflash at kolahilft.de
With "-X" SSH forwards X11 by listening to a TCP port on the server's
localhost IP. Usually TCP 127.0.0.1:6010 for the first client.
127.0.0.1 isn't highly secure. Other users on the same host can connect
to it. And even JavaScript code from arbitrary websites running in a
local web browser can do certain connections to localhost.
https://developer.chrome.com/blog/private-network-access-update?hl=en
https://utcc.utoronto.ca/~cks/space/blog/web/ChromePrivateNetBlocks
https://bugzilla.mozilla.org/show_bug.cgi?id=354493
(with some luck the web browsers close that door in the next couple of
years...)
For X11 there is some authentication via the ~/.Xauthority file. But
I'm wondering why a UNIX socket is not being used instead. Locally X11
usually connects via a UNIX socket /tmp/.X11-unix/X0 which is properly
protected by file permissions. So really only the user himself can
connect to it. I'd guess that's much more secure than relying on
.Xauthority protecting the TCP socket.
---> So why not use a UNIX socket for X11 forwarding?
P.S.
I don't have much experience with Wayland. But it looks like Waypipe is
also using UNIX sockets for Wayland forwarding.
https://gitlab.freedesktop.org/mstoeckl/waypipe
https://mstoeckl.com/notes/gsoc/blog.html
You can manually try this out:
ssh -R /tmp/.X11-unix/X1:/tmp/.X11-unix/X0 USER at HOST
DISPLAY=:1 xterm
rm -Iv /tmp/.X11-unix/X1
You have to manually remove /tmp/.X11-unix/X1 afterwards, because SSH
doesn't to that and won't create a new socket file on the next
connection if the old one still exists. There's a switch
StreamLocalBindUnlink=yes but it only works for forwarding the other
way around with -L instead of -R.
QUESTION:
Could this be fixed too? It's quite annoying to delete the socket file
manually. Or is there a certain reason why this must not be removed
automatically?
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list