NX Security (was [FreeNX-kNX] Re: got: "cannot create directory `/home/.nx'")
freenx at mikebell.org
freenx at mikebell.org
Tue Oct 19 23:21:43 UTC 2004
On Wed, Oct 20, 2004 at 12:48:21AM +0200, Kurt Pfeifle wrote:
> A local root exploit applied to one of your machines -- and you are
> screwed, no doubt about that. That is true for NX or non-NX machines.
Not precisely so. Local roots are a great deal more prolific than remote
roots, and taken much less seriously by admins. The view that a
remote restricted access exploit is basically the same thing as a remote
root seems not uncommon.
In any event, NX doesn't change the fact that you are screwed by a
local root exploit, but it does expand the circle of people who can
screw you to encompass anyone with your NX key (which as I stated could
vary from "practically everyone" to "just the people you gave it to",
though the latter case could be a lot rarer than many people would
think, so I'd be disinclined to trust it on a system of my own.)
> But what make you think that you could "monitor cleartext passwords
> of people trying to log in using nx sessions, as well as all their
> keystrokes" even *without* the need for a root exploit, with just the
> privilege of the nx user?
Ahh, I may have been misinformed, but I believe I read that things like
nxagent run as user nx, in order to enable the various management
functions. If that's the case then the nx user has complete access to
the memory space of all those processes. Or he could change the path to
execute his own versions of various binaries. Or use chsh to change the
login shell. Or modify ~/.ssh/authorized_keys. Or any number of other
tricks. Some or all of these may not work, before you punch holes in
them, my point is simply that shell access as the NX user cannot simply
be dismissed as harmless.
Anyway, my intention was not to delve into some comprehensive analysis
of NX security, initially I just wanted to know how the port forwarding
worked, so that I determine for myself whether or not I felt reasonably
safe using the less controversial parts of the NX solution on my system,
as they stand now.
More information about the FreeNX-kNX
mailing list