HPE Community
Operating System - HP-UX
1832570 Members
5308 Online
110043 Solutions
New Discussion

Re: How to stop X11 in HPUX

 
hpuxadm1
Occasional Advisor

‎08-09-2010 01:44 AM

‎08-09-2010 01:44 AM

How to stop X11 in HPUX

Hello All,

Can you please help me out.
I need to stop X11 in HPUX 11.11

Thanks & Regards,
0 Kudos
Reply
3 REPLIES 3
DeafFrog
Valued Contributor

‎08-09-2010 09:09 PM

‎08-09-2010 09:09 PM

Re: How to stop X11 in HPUX

Hi ,

try this , RUN_X_FONT_SERVER=1 in
/etc/rc.config.d/xfs and then /sbin/init.d/xfs stop.

Regards,
FrogIsDeaf
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎08-10-2010 02:10 AM

‎08-10-2010 02:10 AM

Re: How to stop X11 in HPUX

X11 has many forms. It is not clear which one(s) you wish to disable.

-----------------

If you want to only disable remote X11 connections using XDMCP (the remote X11 method that presents an X11-style login dialog), then edit /usr/dt/config/Xaccess to change the line that says:

CHOOSER BROADCAST #any indirect host can get a chooser

to this:

# XDMCP disabled by hpuxadm1
# CHOOSER BROADCAST #any indirect host can get a chooser

Also change a line that says:

* # grant service to all remote displays

to this:

# XDMCP disabled by hpuxadm1
# * # grant service to all remote displays

----------------

If you want to only disable local X11 login on the system console, edit /usr/dt/config/Xservers and comment out the line that starts the local X server (usually the last line)

----------------

To completely disable both local X11 login *and* remote XDMCP connections, run "/sbin/init.d/dtlogin.rc stop" and "/sbin/init.d/xfs stop".

To make the change permanent, edit /etc/rc.config.d/desktop. Change "DESKTOP=CDE" to "DESKTOP=none".
Also edit /etc/rc.config.d/xfs and change "RUN_X_FONT_SERVER=1" to "RUN_X_FONT_SERVER=0".

You can also comment out the CDE desktop services from /etc/inetd.conf: if nobody is supposed to use the X11 desktop, these services are all useless.
Comment out the lines that mention "dtspcd", "rpc.ttdbserver" and "rpc.cmsd". Then send a "kill -HUP" signal to the inetd process.

After this, all the active parts of the X11 subsystem on the local host are shut down.
But if the user uses SSH X11 forwarding (or gets a shell on the system by any means and sets the DISPLAY variable manually), s/he can still run X11 applications and get the application windows on his/her workstation.

----------------

If you want to prevent users with a command-line access from using X11 programs, then you must change the sshd_config setting "X11Forwarding yes" to "X11Forwarding no" and restart sshd (assuming you have SSH installed on your system), *AND* use an IPFilter or an external firewall to prevent outgoing connections to the X11 server applications (like ReflectionX) on the workstations.

If the user logs in to your system (using telnet/rlogin/remsh or whatever), sets the DISPLAY variable and starts an X11 application, the application will initiate an *outgoing* connection to the remote ReflectionX or other X11 server application, using the address and port indicated by the DISPLAY variable. The application will then request the X11 server to draw windows on the workstation screen.

There is no local process on your system that you could stop to prevent this, because this functionality is embedded in the X11 libraries and applications themselves.

The pattern of traffic to block is:

Protocol TCP
->

NOTE: this restriction is not perfect. It only makes the remote use of X11 applications difficult, not impossible.

If your users can install software on the system (even only to their own home directories), a clever user could install his/her own X11 forwarder using a non-standard port, and possibly work around the network restriction.

MK
MK
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.