Thursday, November 15, 2007

Do You Run X on Linux or Unix Servers?

I very infrequently install X11/Xorg on any servers, unless I'm doing an install for a client and they ask for it. My most common server install is a base installation of Debian stable that weighs in at about 300MB. I always thought there was no need for a graphical display on a server, for the standard reasons:

  • The X server uses resources better devoted to key server processes
  • There are security implications to having the additional libraries and binaries on a system
  • The command line is much more efficient when you need to get something done

Of course, you can leave out the X server, and just install the needed X clients. SSH works great with its built-in X forwarding. But you still have a potential security problem to deal with on the server itself - local privilege escalation from an insecure X binary, for example.

It seems things have been changing lately. Memory and CPU are more plentiful, so resources are not as much of a concern as they were even five years ago. Default installs from the commercial Linux vendors install a full-blown graphical desktop, as much as they still offer the choice of a minimal installation. Security will always be an issue, but SELinux and AppArmor ease the concerns for buffer overflows and privilege escalation. And there are some useful graphical tools with features that would be hard to replicate from a shell - Red Hat's virtual machine manager comes to mind. I still refuse to install X on servers, mainly because I'm habituated to years of shell use (hell, even on my desktops I spend a disproportionate amount of time in a terminal or Emacs buffer). There just seems to be less reason not to install X these days, apart from personal preference.

So I'm wondering, do you install X on your servers, or recommend it for your clients or employer? If so, why?


Anonymous said...

I usually use a pretty much default installation, X and all. While the potential security threats that the additional software poses are there, they usually remain just that -- potential problems. OTOH, the potential for a sysadmin to compromise security by operator error when using the command line seems more likely to be a real problem, and this is mitigated by having access to easy-to-use GUI admin tools.

I'm sure that it varies greatly though, depending on the caliber of the sysadmins involved, and the number of different systems they're expected to administer.

Jason said...

Agree with your article 100%. Unless a user can give me a valid reason for installing X, there's no point.

Occasionally, a DBA will want to use VNC, so we install xterm and some lightweight window manager, but it's only running inside the VNC session -- no gdm/xdm/kdm/etc.

Of course, on every server we install the X libs/clients for SSH/X-forwarding, only because some apps have a better X interface (or the console version is missing a feature, etc).