Name

mxconns - an X11 connection monitor

Synopsis

mxconns [options]

Description

mxconns is an X11 proxy, i.e., a virtual X11 server (or «display") which can be used as a protective front end for your real X11 server. Each time an X11 application connects to this virtual display, mxconns asks you if the new connection should be accepted. If so, mxconns relays the connection through to your real X11 display.

mxconns can optionally inspect the X requests sent by the X client and prompt the user when it detects dangerous ones (like spying the keyboard). It can also silently replace these dangerous requests by inoffensive ones (NoOp).

Usage

mxconns can easily be used to enhance the security of your X server. To do so, secure your display with xhost(1) and/or xauth(1), start mxconns and use only the virtual display that it created when you start remote and/or untrusted X clients.

mxconns does not send anything on its standard output (stdout) except when the -verbose option is used. In this case, it prints the virtual display that it created. All the other messages (errors, debugging) go to stderr.

mxconns can be started automatically by putting in your ~/.xsession file something like:

XDISPLAY=`mxconns -verbose -fork -hunt` export XDISPLAY

You can then use $XDISPLAY to start untrusted X clients and the error (and debugging) messages will go to the Xsession log file...

User Interface

mxconns displays the list of all the X11 connections being relayed in a scrollable window. You can close an active connection by doubleclicking on it (you'll be asked for a confirmation). Warning: if you close the mxconns window you kill the program but you also close all the active connections!

You can also select a connection by clicking on it and change its flags with the help of a popup menu that is available when pressing the right mouse button. The menu also allows you to get some information about a connection: start time, number of X packets relayed, names of the windows opened by this X client...

Connection Flags

Each connection has its own set of flags, telling mxconns what to do. The initial flags are set by the -icf option and/or the configuration file and can be changed by hand later using the user interface.

The recognised flags are:

Frozen

no input/output is performed, the X client is blocked

Checked

all X client requests are inspected for dangerous things, the user is prompted when potential harmful requests are found

Safe

all X client requests are inspected and the «safe" action (usually replacing the request by a NoOp) is performed by default, without bothering the user

Options

mxconns supports the following command line options:

-config path

use the given configuration file

-debug string

set the debugging flags according to the given string (not yet documented)

-dispno number specify the display number of the virtual display to be

created; the default is 5

-fork

put itself in the background

-hunt

try all display numbers starting with the value given to -dispno until one free display is found

-icf string

set the initial connection flags according to the given string, that can contain any combination of «f» for Frozen, «c» for Checked and «s» for Safe

-ident

try to use the IDENT protocol (RFC-1413) to find out which user started the X client; this information is then displayed by mxconns and can be used in the configuration file

-iname string

set the icon name accordingly

-verbose

print the virtual display that is created; this useful

with the -hunt option

-xsock

use the given path to create UNIX sockets; the path must contain a «%d» that will be replaced by the actual display number (this can be needed for instance on Solaris where a recent patch moved the X UNIX sockets to «/var/X/.X11-unix/X%d"...)

These options (as well as some standard X options) can also be set using X resources. For instance, you can put in your ~/.Xresources something like:

Mxconns*fork:

True

Mxconns*dispno:

1 Mxconns*geometry: +0-0

Configuration File

mxconns can be given the path of a configuration file, using the -config option.

Each line of the configuration file should contain: host [action] [flag...]
where

host

can be a name (foo.bar.org), a name regexp (*.bar.org), an IP name (123.456.78.90), an IP regexp (123.456.*.2??), an address/mask (123.456.0.0/255.255.0.0) or any of these with a user name or name regexp in front (joe@foo or r??t@*.mil)

action can be `ask' (default), `allow' or `deny'

flag

can be `none' (default), `frozen', `checked' or `safe'; the flags are ORed starting with the initial connection flag specified by the -icf option; the `none' keyword resets the flags to 0

Empty lines and lines starting with # are ignored.

The configuration file is parsed each time a new connection is detected. The corresponding flags are set for the connection and the corresponding action is taken.

Warning: because the `allow' action will give access to your X server without any confirmation, mxconns will make sure that at least the `safe' flag is on.

See Also

X(1), Xsecurity(1), xauth(1), xhost(1).

Credits and History

The original code and ideas came from «der Mouse" (mouse@collatz.mcrcim.mcgill.edu), with his programs xconns and xc.

Vaughan Clarkson (vaughan@ewd.dsto.gov.au) modified xconns to use Xt and Motif (both for the user interface and for the internal loop). The result is mxconns version 1.*.

Lionel Cons (lionel.cons@cern.ch) enhanced mxconns for its use at CERN, this gave mxconns version 2.*.

The version 3.* of mxconns is a complete rewrite from scratch using ideas from the programs above as well as other similar ones like xmon or xroute.

Author

Lionel Cons <lionel.cons@cern.ch>.

Copyright

This program belongs to CERN (http://www.cern.ch), see the COPYRIGHT file included in the mxconns distribution for more information (http://cern.ch/mxconns/COPYRIGHT).