How to disable X Windows?

dictum9 · ‎04-17-2006

I need to disable X Windows and xhost.

I tried xhost - but when I run xhost again it says:

access control disabled, clients can connect from any host

Also, I have the following line in: /etc/dt/config/Xconfig but it still doesn't do it.

Dtlogin.requestPort: 0

Rick Garland · ‎04-17-2006

Do not start the dtlogin.rc
Can remove this from startup or while running do /sbin/init.d/dtlogin.rc stop

Chan 007 · ‎04-17-2006

HI,

See the following link

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=788343

Chan

Jeff_Traigle · ‎04-17-2006

The actual proferred way, I would think, is to edit /etc/rc.config.d/desktop.

Change:

DESKTOP="CDE"

to

DESKTOP=""

--
Jeff Traigle

dictum9 · ‎04-17-2006

It stopped CDE, but the X Windows server still accepts connections.

# ./dtlogin.rc stop
# ps -fela | grep -i dtlogin | grep -v grep
#
# xhost
access control disabled, clients can connect from any host

Steven E. Protter · ‎04-17-2006

Shalom,

Turn off the font server.

/sbin/init.d/xfs stop

edit
/etc/rc.config.d/xfs

Make the first variable equal to 0

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

dictum9 · ‎04-17-2006

Here is what the actual STIG listing says. Could someone translate it for me. It says that output from xhost is OK, but if I am getting "clients can connect from any host", how can that possibly be secure?

First, perform xhost from an X terminal. If the output report access control is enabled (and possibly lists the hosts that can receive X Window logins), this is not a finding. It may be necessary to define the display if the command reports it cannot open the display. Define the display with DISPLAY=:0; export DISPLAY. Then try the xhost command again. If there are no X Windows used, the finding is Not Applicable. If the xhost command returns a line indicating access control is disabled, this is a finding.

DCE · ‎04-17-2006

xhost is tied directly to the Xserver process. If you truely want to disable all x access into the system, you will have to disable the Xserver process. I am not that knowledgable about Xserver, but I do know it listens on port 6000. If you disable that port, then no system will be able to connect graphically, regardless of of the xhosts output.

dictum9 · ‎04-17-2006

That's the problem, I am not sure what needs to be done to make the system compliant: Turn off the xserver completely or tune the xhost command output.

The description is: The system is exporting X displays to anybody.

My question is: Why doesn't running the xhost - not make any difference?

And if it did work, would be sufficient?

DCE · ‎04-17-2006

If you look at the man page for xhost, it states that it is not a very good security measure, and that other methods should be used if you want a more secure environment....

From the man page on xhost:
The xhost program is used to add and delete host names or user names
to the list allowed to make connections to the X server. In the case
of hosts, this provides a rudimentary form of privacy control and
security. It is only sufficient for a workstation (single user)
environment, although it does limit the worst abuses. Environments
which require more sophisticated measures should implement the user-
based mechanism or use the hooks in the protocol for passing other
authentication data to the server.

Ivan Ferreira · ‎04-17-2006

See this thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=945618

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Ivan Ferreira · ‎04-17-2006

After modifying the file, do kill -HUP to the dtlogin process.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Bill Hassell · ‎04-17-2006

xhost is like an access list. You can enable specific IP or hostnames to connect but it does NOT remove the Xserver. Edit the /etc/rc.config.d script as mentioned, then find the dtlogin processes like this:

UNIX95=1 ps -fC dtlogin

This method (to find processes by name) is stronlgy recommended over using grep.

Bill Hassell, sysadmin

Bill Hassell · ‎04-17-2006

xhost is like an access list. You can enable specific IP or hostnames to connect but it does NOT remove the Xserver. Edit the /etc/rc.config.d script as mentioned, then find the dtlogin processes like this:

UNIX95=1 ps -fC dtlogin

This method (to find processes by name) is stronlgy recommended over using grep. Kill the dtlogin process(es) and the Xwindow port will now be closed.

Bill Hassell, sysadmin

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

How to disable X Windows?

How to disable X Windows?

Re: How to disable X Windows?

Re: How to disable X Windows?

Re: How to disable X Windows?

Re: How to disable X Windows?

Re: How to disable X Windows?

Re: How to disable X Windows?

Re: How to disable X Windows?

Re: How to disable X Windows?

Re: How to disable X Windows?

Re: How to disable X Windows?

Re: How to disable X Windows?

Re: How to disable X Windows?

Re: How to disable X Windows?