This chapter discusses optional
DECwindows environment features that improve the security of a workstation.
The DECwindows environment can be configured using the GUI selection feature
of the/usr/sbin/setup
utility.
When you log in to a workstation and create a session, your workstation determines which hosts are authorized to access its display. Every user who can log in to an authorized host has the following kinds of access to your workstation:
Read Users can read the contents of one or more windows on your workstation. When you press a key on your keyboard a character representing the key appears on your workstation screen. Thus, you can see what you type on your screen. Any user on a host that is authorized to access your display could divert your keystrokes to another workstation display. An unscrupulous user could capture and display keystrokes (including your password) on another system.
Write Users on authorized hosts can send simulated keystrokes to your workstation display. Your workstation software treats the keystrokes the same whether you type them from your keyboard or an application program sends them. Users on authorized hosts can send commands to your workstation and every command is executed under your user login and password. For example, any user on an authorized host could delete all the files in your home directory tree.
Copy Users on authorized hosts can capture a snapshot of any one of your windows or your entire workstation screen, without your knowledge. This snapshot is a static picture of the contents of your display. In general, if you can see it on your display, any user on an authorized host can see the same thing.
Controlling access to your workstation display is the key to creating a secure workstation environment. Your workstation keeps an access control list (ACL), which names the hosts on a network that can access its display. This list is a combination of a system list that your security administrator creates and a personal workstation list that you create.
Remember that hosts that are authorized to access your workstation display can read it, write it, and copy it at any time. Restricting access is the only way to prevent users from taking a snapshot of the contents of your workstation display.
There are three ways to designate which hosts can access your workstation display:
The system ACL
The workstation ACL
The X authority file utility
Your security administrator can authorize a host to access a workstation's
display by adding the host name to a systemwide authorization file called
/etc/X*.hosts.
The asterisk (*) refers to the number of the workstation
display that the hosts listed in the file can access.
The standard display
number is 0 (zero).
Hosts that are not listed in this file cannot access your
workstation display.
When shipped with your system, the
/etc/X*.hosts
file is empty, which means that only your workstation
(the local host)
can access its display.
Your workstation ACL can allow hosts access to your workstation display even though the system ACL does not. You can thus explicitly authorize other users or yourself, when you are logged in from another host, to display DECwindows applications and programs on your workstation.
Allowing remote systems to access your account on a workstation is a security concern. Check with your security administrator before authorizing additional hosts to use your workstation display.
Take the following steps to authorize other users to use your workstation display:
Select the Session Manager window.
Select the Security... option from the Options menu. The Security Options box is displayed on the screen. Type the host name you want to authorize.
Click on the Add button. The host name is added to the Authorized hosts box.
Click on the OK or Apply button.
To remove a host name for the current session:
Click on the name you want to remove.
Click on the Remove button.
Click on the OK or Apply button.
Users logged in to the host you remove will no longer have access to
your workstation for this session.
However, the system ACL is checked each
time you start a session.
Thus, removing a host is temporary
if the host is listed in the
/etc/X*.hosts
file.
The changes you make to your workstation ACL remain in effect only for
the current session unless you save them.
You can save the changes you make
during a session from the Customize menu in the Session Manager window.
When
you save the changes you make during a session, the hosts listed in the Customize
Security box are stored in a file called
.Xdefaults, in
your home directory.
Each time you start a new session,
the workstation checks the
/etc/X*.hosts
system file as
well as the
.Xdefaults
file to determine its ACL.
Any user who can edit the
.Xdefaults
file could modify
the ACL for your workstation display.
If that happens, the new list of authorized
hosts would become effective the next time you start a session.
Therefore, check your file permissions.
Your home directory should deny read, write, and execute access to
other, and write access to
group.
The permissions
on the
.Xdefaults
file should deny all access to
group
and
other.
Use the
chmod
command to change the permissions:
$chmod 750 $HOME$chmod 600 .Xdefaults
The
xauth
program allows you to run client applications on other workstations
that do not share their home directory.
You use the
xauth
program to edit and display the authorization information used in connecting
to the X server.
You usually use this program to extract authorization records
from one machine and merge them in on another (as is the case when using remote
logins or granting access to other users).
Note that this program does not
contact the X server.
Using X authority file utility is the recommended method of securing
your workstation.
For more information, see the
xauth(1X)
reference page
and the
X Window System Environment
manual.
DECwindows includes a secure keyboard mode that directs everything you type on the workstation keyboard to a single, secure window. All keyboard input is directed to the secure window, even if you have selected another window for input focus. In secure keyboard mode, keyboard input is read only by the application that created the window.
Secure keyboard mode is useful
for protecting sensitive
information, like your password, because
it prevents users from running applications that might capture your keystrokes.
Setting secure keyboard mode in a window prevents users on hosts that are
authorized to access your workstation display from reading any keyboard input
from that window.
For example, if you have a
root
account on your workstation, always set secure keyboard mode before
using
su
and typing your
root
password.
You can set secure keyboard mode by selecting the Secure Keyboard item
from the Commands menu in a DECterm window.
If hosts are authorized to access your workstation display, users on
those hosts can still copy the contents of your display at any time.
When
you use the
su
or
passwd
command and
type your password, the password does not appear on the screen.
Therefore,
a static copy of your display will not reveal your password.
A static copy
could, however, reveal the contents of a sensitive file displayed on your
screen.
If you are working on sensitive files, do not authorize any host
to access your display.
After you select the Secure Keyboard item, the window appears in reverse video, and the toggle button next to the Secure Keyboard item appears highlighted to indicate that security mode has been set.
When you change a secure window to an icon, the secure keyboard mode is turned off. If you want security to be on, you must turn it on again when you change your icon back to a window.
You can create only one secure window at a time. If you try to create a second secure window, you will hear a beep, reminding you that secure keyboard mode has been set for another window. If you hear a beep when you try to set secure keyboard mode, but have not set that mode in any other window on your screen, some other application must have set the mode. If this happens, check with your security administrator to find out which application may have set this mode.
By default, DECterm windows block keyboard and mouse information sent from another computer. This means that users on another system cannot send simulated keystrokes or mouse clicks to your workstation. This security feature prevents unauthorized users from sending potentially destructive commands to your workstation when it is idle.
The ability of a DECterm window to block information sent from
another host is set by a resource called
allowSendEvents,
which is set to FALSE in the
.Xdefaults
file.
Each time you begin a session, DECwindows uses the values in this
file to control the appearance and other characteristics of window displays
on your workstation.
The following example shows a line in the
.Xdefaults
file that sets the
allowSendEvents
resource FALSE, thus
blocking users logged in to other host systems from sending keyboard or mouse
information to any window that you create.
Dxterm*allowSendEvents: false
Leave the
allowSendEvents
value set to FALSE to prevent
unauthorized users from sending input into your DECterm window and executing
commands under your user name.
An application that opens its own window
(not a DECterm window) might not block simulated keystrokes from your display.
Therefore, if you are running such an application, check your ACL and remove
any hosts that are authorized to access your display before working on sensitive
files.
If you must authorize a host to access your display (for example,
to run a remote application), remember to set secure keyboard mode before
using the
passwd
or
su
commands and
typing your password.
In a DECwindows environment, you can pause your current session. This locks your workstation without ending your session. Your screen is cleared, and the system displays the Pause screen. You can resume your session any time without recreating your screen environment.
To put your current session on hold, choose the Pause menu item from the Session menu. Your screen is cleared and the Continue Session box is displayed. To continue your session,: type your password then click on the OK button or press Return.
Once your password is verified, your session resumes.
Workstations present security problems because they are typically found in ordinary offices, rather than the more easily protected environment of the computer room.
It is possible for someone who gains access to a workstation to get superuser status on that system and consequently on other systems. One method is to boot the system into single user mode.
If your office has a locking door, lock the door when you are away from your system.
You must also protect your removable media, such as tape cartridges and floppy disks by locking up all floppy disks and tape cartridges when they are not in use.
Some worksatations allow a console password to be set. When a console password is in use, only a default boot can be done without a password. Check your hardware and firmware documentation for more information about console passwords.