Bugtraq mailing list archives
Re: Xwindows security?
From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Wed, 11 Jan 1995 10:33:09 -0500
Xhost actually has one advantage, of a sort, over xauth: users of xhost can grant access, and later take that access away.
You want to be very careful in assuming that because you type 'xhost -' that your vulnerability goes away. [...existing connections are undisturbed...] Additionally, clients (like xcrowbar) can be started when no authority is in place that turns off the authority mechanisms altogether, thus making the 'xhost -' a moot point.
What's xcrowbar, and how does it "turn[] off the authority mechanisms altogether"? In my experience, only clients running on the local host, or the xdm host if the server was started with xdm, can fiddle with the access control mechanisms. In any case, yes, it's true that "xhost -" doesn't magically mean you're safe again. What I do, to get the convenience of "xhost -" without giving up quite as much security, is I run a front-end program that accepts connections, replaces the authentication in the startup exchange with saved info that the server will accept, and also maintains a window displaying a list of the connections (currently just host addresses, but it could be modified to display user names if the remote host supports IDENT). My program currently doesn't, but could, monitor the X request/reply stream and take arbitrary action (freeze the connection, alert me, pop up an interactive protocol debugger window) if it sees something questionable, like a client selecting for keystrokes on a window it didn't create. der Mouse mouse () collatz mcrcim mcgill edu
Current thread:
- Re: Xwindows security?, (continued)
- Re: Xwindows security? Timothy Newsham (Jan 11)
- about /usr/etc/chill *Hobbit* (Jan 11)
- mountd keeps vanishing (!) Eric Berggren (Jan 11)
- Re: mountd keeps vanishing (!) Eric Kimminau (Jan 12)
- Re: mountd keeps vanishing (!) Karl Strickland (Jan 12)
- Re: mountd keeps vanishing (!) Pete Shipley (Jan 14)
- X Window System security Stephen Gildea (Jan 11)
- Re: Xwindows security? William McVey (Jan 10)
- Re: Xwindows security? Benjamin Fried (Jan 10)
- Re: Xwindows security? Doug McLaren (Jan 11)
- Re: Xwindows security? der Mouse (Jan 11)
- xcrowbar Dave Goldberg (Jan 11)
- xcrowbar/ident for x Nathan Lawson (Jan 11)