# xhost and its possible security issues?



## Spartrekus (Feb 28, 2018)

Hello,

Thinking about security, I may believe that xhost may be a potential dangerous programme,  which may be a security issue.

Any hands give "xhost +", and anyone logged in may do absolutely anything if another user is using the machine at the same time. An hacker could take chance to get many things out of this app.

Just some thinking...


----------



## Deleted member 48958 (Feb 28, 2018)

Spartrekus said:


> Any hands give "xhost +", and anyone logged in may do absolutely anything if another user is using the machine at the same time. An hacker could take chance to get many things out of this app.



Better use `% xhost +si:localuser:[I]specificusername[/I]`
Replace "_specificusername_" with something you use.
Then it won't give acces to anyone, except "_specificusername_" on local machine.


----------



## SirDice (Feb 28, 2018)

The nice thing about UNIX(-like) systems is that they'll never stop you from shooting yourself in the foot.


```
The xhost program is used to add	and delete host	names or user names to
       the list	allowed	to make	connections to the X server.  In the  case  of
       hosts,  this  provides  a rudimentary form of privacy control and secu-
       rity.  It is only sufficient for	a workstation (single  user)  environ-
       ment,  although	it  does  limit	 the worst abuses.  Environments which
       require more sophisticated measures  should  implement  the  user-based
       mechanism  or use the hooks in the protocol for passing other authenti-
       cation data to the server.
```
From xhost(1)

The issues with xhost(1) have been known for at least 20 years, if not longer.


----------



## Deleted member 48958 (Feb 28, 2018)

Also it is possible to use ssh to launch GUI apps as another user,
just add your user ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys of user,
from wich you want to start applications, then start your GUI apps with
`% ssh -Y [I]specificusername[/I]@0` and then launch your app,
or `% ssh -Y [I]specificusername[/I]@0 appname`.

Also you need to add _sshd_enable="YES"_ to /etc/rc.conf and then start sshd with `# service sshd start`.
Aslo "_X11Forwarding_" should be enabled in /etc/ssh/sshd_config (enabled by default in FreeBSD).

Also it is possible to use _specificusername_ password, when using ssh, but I do not recommend using passwords when using ssh, better disable "_PasswordAuthentication_" and "_ChallengeResponseAuthentication_" in /etc/ssh/sshd_config and use only public keys when using ssh.


----------

