Interesting find. I found out that my Xorg has been listening on the abstract sockets too - it's just that I didn't notice until you brought it out!BarryK wrote:A useful read on abstract sockets, though it is unclear to me why they should be a security threat:
http://tstarling.com/blog/2016/06/x11-s ... isolation/
In my previous test I used this "unshare -piumUrfn --mount-proc" - which is almost identical to you, except that the extra "-n" enables network isolation as well, and according to the articles you linked, is the only way to "hide" an abstract socket from within the container. No wonder my test didn't work (which I expected not to work). When I dropped that "-n", I got the same result as you - X apps start even with /tmp/.X11-unix/X0 is hidden.
I think it's a security thread because:
a) you can't prevent access from within standard chroot (you need network namespaces to disable it)
b) you can't control permission of the abstract socket
Which basically means, if you know the name of the socket, then **everybody** can connect.
Very bad. I should disable this immediately.