Security

Linux's X.org server is vulnerable. Here's how to stay safe.

Security has come front and center for every aspect of technology — even the display server. Jack Wallen shines a spotlight on the Linux X.org server, why it's insecure, and what you can do.

xhero.jpg
Image: Jack Wallen

The Linux operating system is known for security. From the bottom up, Linux was designed to be a platform to be trusted. There is, however, one weak link in the chain. This weakness didn't just appear, nor is it considered a security bug on any given radar. What I'm talking about is the antiquated X11 Window server still found in use on most Linux distributions.

For those that don't know, X was originally designed and released in 1985 and X11 in 1987. X.org replaced X11 and was originally released April 6, 2004. When X was originally conceived, the computing world was in a completely different state. Both X and X.org lack a few very important security features that are critical for modern era usage and hardware:

  • All X applications have access to everything on your screen
  • All X applications can register to receive every keystroke, regardless of which window said keystrokes are typed within
  • Applications such as browsers can be remotely controlled such that keystrokes can be forged as if the user were typing them
  • The xhost + option can completely disable any security on the display

Effectively, with X.org, your display could be turned into a keylogger. That, my friends, is reason enough to warrant the switch. Thing is, however, few distributions have officially made the jump from X.org to the likes of Wayland. In fact, the only major distribution to make the switch is Fedora. And we all know what happened with the Ubuntu Desktop and its attempted migration from X.org. The good news on that front is that Ubuntu 18.04 will be making use of the newer Wayland X server. Once Ubuntu makes the switch, Ubuntu spinoffs will also enjoy the change.

What to do until then?

That's where the hurdles start to appear. Many of your existing applications will only work on Wayland by way of an X11 protocol wrapper. My guess is that this will be a requirement until Ubuntu has finally made the switch. Until then, your best bet (for the highly paranoid) is to make use of a tool like Firejail, which is a SUID program that restricts the running environment of untrusted applications (like browsers). On a Ubuntu-based system, you can install Firejail with the command:

sudo apt-get install firejail

Once installed, you can run an application like so:

firejail firefox

Unfortunately, simply installing Wayland on your current distribution isn't recommended. If you want to immediately jump ship to a distribution that uses Wayland, as I mentioned earlier, your only choice of a major Linux flavor is Fedora. If you venture outside of major territory, you'll find a few smaller distros that are already implementing Wayland. For instance, RebbecaBlackOS (a Debian testing distribution) uses Wayland by default. Two other lesser-known distributions that rely on Wayland are Liri and MauiOS.

Beyond that, you'll have a heck of a time finding a polished distribution that has kicked X.org to the curb, in favor of a more modern and secure X server.

Don't panic

You do not need to panic. Malicious software isn't going to all of a sudden appear on your Linux desktops, simply because you are using a distribution that continues to hold strong to the past. The transition from X.org to Wayland is a very challenging feat — one that should prove well worth the wait. If, however, you are overly concerned about security (which, let's face it, you should be), it would behoove you to either implement Firejail or migrate to Fedora (even if only until your distribution of choice finally makes the switch to Wayland).

Eventually all of the major distributions will wind up leaving behind the out of date technology found in X.org. My guess is that reality will happen some time around April, 2018. If you're unsure as to the significance of that date, Ubuntu 18.04.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox