The X-Windows System

Overview, Configuration and

Security,
The X-Windows System Overview
X Window
• The X Window system was developed as part of Project Athena at
MIT. In 1987, X Version 11 is released. X is now controlled and
maintained by the Open Group.
• There are reasons to use X Window System:
• You’ll come across situations when it’s easier to do a thing in X.
• When it comes to viewing graphics, the command line has no answer.
• Applications are quickly moving to X Window platform.
The Graphic User Interface in X
• X Window uses a bit-mapped display where each pixel can be
manipulated individually.
• The entire display is known as the root window, and individual
applications are displayed as windows on this root window.
• It’s possible to change the appearance of a window instantly by
running a separate program after starting X. This program is called the
window manager.
Starting and Stopping X
• X is started with the startx or xinit commands.
• X can also be invoked during system startup with the xdm comand.
xdm can otherwise be invoked by the root user only.
• Use the menu like Exit Session or Log out on the desktop to quit X.
• X splits an application into two components – client and server.
The X Architecture
• The server program controls the monitor, keyboard and mouse, while
the application itself is the client.
• X programs are portable since they don’t bother about the window
drawing.
• X also runs in a TCP/IP network, it is possible for a client to run on one
machine and have its display on another.
• The xhost client controls access to the server.
Running X Programs Remotely
• xhost + bugs adds bugs to access control list.
• xhost + enables display for others.
• xhost - disables display for others.
• The environment variable DISPLAY determines where the client
should display its output.
DISPLAY=bugs:0.0; export DISPLAY
X Techniques and Components
• The –display option can be used with any X Client to direct program
output.
rsh bugs xcalc –display sisko:0
• All windows have a title bar comprising a number of buttons. The left
button brings up he Window menu.
• A window can be moved, resized, minimized, maximized and closed
using these buttons.
X Techniques and Components
• A window is brought to focus generally by clicking on the window or
its title bar.
• X windows comprise a number of widgets (components). They can be
buttons, scrollbars, checkboxes, radio buttons, tabs and drop-down
boxes.
• By default, X clients don’t have any window management functions. A
special client, the window manager, must be invoked at the start of
an X session.
The Window Manager – A Special Client
• A window manager makes it possible to move and resize windows.
• The standard window manager for UNIX has been Motif (mwm) but is
replaced by dtwm of CDE.
• fvwm and kwm are two of the many window managers available in
Linux.
• Nowadays, KDE and GENOM are two widely used window managers
in Linux.
CDE: The Command Desktop Environment
• The Command Desktop Environment (CDE) provides a standard look
for both the desktop and the window manager.
• It features a Front Panel from which you can launch many
applications.
• The File Manager handles the file and directory functions, and the
Trash Can stores deleted files.
• The Front Panel also offers a Workspace Switch that lets you create
virtual desktops.
xterm: The Main Client
• You can invoke all UNIX commands and X programs form the UNIX
command lien available in an xterm window.
• xterm can also be used with a scrollbar
(-sb), and the number of lines saved can be specified (-sl).
• X programs run with a number of common options.
Command Line Options
• You can position and specify the size and position of a window (-
geometry) and its foreground and background color (-fg and
-bg).
• You can start a program as an icon (-icon) and provide a name (-
name) or title (-title).
• You can copy text from any window by merely selecting it with the
mouse button.
Copy and Paste
• The copied text is pasted back by clicking the middle button.
• Multiple sections of copied text can be stored in the xclipboard client
from which it can be pasted anywhere.
• There are several clients available in X. X offers a clock (xclock) and a
calculator (xcalc).
xclock –digital &
Standard X Clients
• xbiff is mailbox flag for X.
xbiff -rv -title biff -file $MAIL
• xload displays the system load, and is often used with remote
machines.
• xkill kills a window. It can kill all root-level window in one invocation
(-all).
• X can be easily customized. You can start X clients from the file
.xinitrc, the startup file used by xinit.
X Resources.
• X Resources.
• X resources enable you to change practically any X feature.
• These features can be stored in .Xdefaults, and xrdb can used any
time to read this file.
• These settings can also be overriden with the –xrm option available in
every X client.
Configuration and Security
Security Enhanced LINUX
• Kernel level security included since 2.60 kernel
• Not an application interface. But sends access return codes to applications.
• Can be combined with ACLs
• /etc/selinux directory
• Old gui system-config-selinux, new gui: policycureutils-gui
• BE CAREFUL with changes. Especially deleting files.
• See “enforcing=0” or “selinux=0” on Grub edit menu
• Protects, files, processes, applications
• Based on security “context”
An SE Linux security context is comprised of three parts: an "identity", a "role", and a "type" for
users and files or "domain" for processes. Default context for root, the role is sysadm_r, and the
domain is sysadm_t.
• Configuration directory: /etc/selinux directory
SELINUX Modes/Types
• Enforcing: enable and enforce the SELinux security policy on the
system, denying access and logging actions in /var/log/audit/audit.log
• Permissive: enabled but will not enforce the security policy, only
warn and log actions. Used for troubleshooting SELinux issues
• Disabled: SELinux is turned off
• Targeted: Specific processes
• MLS/STRICT: VERY secure - systemwide
SELINUX Policy
• Policy: a set of rules the SELinux security engine that defines types for
file objects and domains for processes, and user defined (identities)
roles to limit the domains that can be entered.
• Strict - minimum access
• Targeted – specific processes
• Unconfined – not under SELINUX control, outside SELINUX context
SELINUX Access Control
• Type Enforcement (TE): Type Enforcement is the primary mechanism
of access control used in the targeted policy
• Role-Based Access Control (RBAC): Based around SELinux users (not
necessarily the same as the Linux user), but not used in the
default targeted policy
• Multi-Level Security (MLS): Not commonly used and often hidden in
the default targeted policy.
• Shown with –Z option (ls –Z, ps –Z etc)
SELINUX Commands
• sestatus: show SELINUX status
• getenforce: show SELINIX status
• setenforce: set SELINUX status
• semanage: command line policy management
• chcon: change SELINUX context
• restorecon: restore default SELINIX context
• audit2allow: Generate SELINUX policy from /var/log/audit/audit.log
• sealert: troubleshooting tool
• ls –Z, ps –Z: show SELINUX context for files, processes
• id: show the current user id context.