[605] in bugtraq
Re: Xwindows security?
daemon@ATHENA.MIT.EDU (William McVey)
Tue Jan 10 19:48:28 1995
To: bf@morgan.com (Benjamin Fried)
Cc: bugtraq@fc.net
Date: Tue, 10 Jan 1995 18:08:42 -0500
From: wam@cs.purdue.edu (William McVey)
Benjamin Fried wrote:
>Xhost actually has one advantage, of a sort, over xauth: users of xhost
>can grant access, and later take that access away.
You want to be very careful in assuming that because you type 'xhost -'
that your vulnerability goes away. All clients (like xkey) started
when the authority was off are still connected and are potentially
dangerous. Additionally, clients (like xcrowbar) can be started when
no authority is in place that turns off the authority mechanisms
altogether, thus making the 'xhost -' a moot point.
-- William McVey
Instructional Labs Administrator
Department of Computer Science
Purdue University
