site
contact
newsImproved X server security in Easy Containers
I am gradually ramping up the security for Easy Containers. Most
recently, attention has been given to the X server that is used in a
container, and the ways in which it can be accessed. Here is a snapshot
of the latest Easy Container Management (see Filesystem menu):
Now, there is a choice of Xorg or Xephyr X servers. The latter is a
nested server, which outputs to its own window within the main Xorg
desktop. Using Xephyr in a container is considered to be more secure.
There are four ways in which an application can "connect" to the X
server: tcp port, abstract socket, pipe or Unix Domain Socket. Both Xorg
and Xephyr are started with "-nolisten tcp", thus disabling that
option.
To see where the servers are launched and the commandline, for Xorg, see /usr/bin/xwin, for Xephyr see /root/Startup/xephyr (in the upcoming EasyOS 0.9.5)
The other three have arguments for an against. For EasyOS 0.9.5, I
decided to launch Xorg with "-nolisten tcp -nolisten local", thus in the
case of Xorg there only remains the Pipe and Unix Domain socket
options.
Anyway, the "?" help button that you can see in the above snapshot, has useful summaries of each option.
To see the choices applied to a container, there is a configuration
file. EasyOS 0.9.5 has a new container named "petget0", and the
configuration file is here:
/mnt/wkg/containers/petget0/configuration
Printing the X choices:
#Connect to X by abstract socket, pipe, or unix domain socket (abstract|pipe|unix)...
EC_XSOCKET='abstract'
#Use Xorg or Xephyr server (xorg|xephyr)...
EC_XSERVER='xephyr'
As I posted recently, I wanted to rethink some of the basics. That
will be ongoing, however, I am now looking at implementing containers in
a different, simpler, way. Simple, so that the above Easy Containers
Management GUI app will never even be needed to run. So the user will
not have to get involved in the details of creating a container and
making those technical security choices.
Will explain more soon...
Tags: easy