In the previous post, we ran firefox inside a container on OS X. To allow connection from the container to the X11, we used xhost + $(hostname)
. This gives rise to serious security vulnerability.
Let’s list the entries in ACL before adding our local machine
$ /usr/X11R6/bin/xhost
access control enabled, only authorized clients can connect
Now let’s add our localmachine to ACL
$ /usr/X11R6/bin/xhost + $(hostname)
<my-machine-name>.local being added to access control list
Let’s list the entries in ACL
$ /usr/X11R6/bin/xhost
access control enabled, only authorized clients can connect
INET:192.168.1.x
INET6:ganessh-macbook.local
Our ip address has been added to the ACL. If you are switching between networks regularly or your dynamic ip address gets renewed to a new address, X11 will stop allowing connection from the container. You must remove the old ip address from the ACL, else Bob can use your old ip address(in your network) and hijack your X display.
Let’s remove our machine from ACL. Removing hostname will remove both hostname and ip address entries from ACL
$ /usr/X11R6/bin/xhost - $(hostname)
<my-machine-name>.local being removed from access control list
$ /usr/X11R6/bin/xhost
access control enabled, only authorized clients can connect
Using xhost +
or open X display is one of the high rated system vulnerabilities. So let’s use another(safer) way in this post. The drawback of this method is that it requires us to extend the image and create a local image containing our xauth file.
# Dockerfile
FROM jess/firefox
ARG username
ARG uid
ENV USERNAME ${user}
RUN useradd -m $USERNAME && \
echo "$USERNAME:$USERNAME" | chpasswd && \
usermod --shell /bin/bash $USERNAME && \
usermod --uid ${uid} $USERNAME && \
groupmod --gid ${uid} $USERNAME
USER ${user}
WORKDIR /home/${user}
ARG
reference in the Dockerfile are supplied using —build-args$ docker build --build-arg user=$USER --build-arg uid=$(id -u) -t <image_name> .
:0
as our display. Note: if it complains that the file /tmp/.docker.xauth
doesn’t exist, touch
the file and re-run the command.$ /usr/X11R6/bin/xauth nlist :0 | sed -e 's/^..../ffff/' | /usr/X11R6/bin/xauth -f /tmp/.docker.xauth nmerge -
$ docker run -d \
--memory 2gb \
--net host \
--cpuset-cpus 0 \
-v /etc/localtime:/etc/localtime:ro \
-v /tmp/.X11-unix:/tmp/.X11-unix \
-v $HOME/docker_data/.firefox/cache:/root/.cache/mozilla \
-v $HOME/docker_data/.firefox/mozilla:/root/.mozilla \
-v $HOME/Downloads:/root/Downloads \
-v /tmp/.docker.xauth:/tmp/.docker.xauth:rw -e XAUTHORITY=/tmp/.docker.xauth \
-e DISPLAY=$ip:0 \
-e GDK_SCALE \
-e GDK_DPI_SCALE \
--name firefox \
jess/firefox
The above run command will preserve firefox’s data on the mounted volumes.
Issues left unfixed