[606] in bugtraq
Re: Xwindows security?
daemon@ATHENA.MIT.EDU (Jon Peatfield)
Wed Jan 11 02:32:09 1995
To: bf@morgan.com (Benjamin Fried)
Cc: bet@std.sbi.com (Bennett Todd),
mouse@Collatz.McRCIM.McGill.EDU (der Mouse), ddk@beta.lanl.gov,
bugtraq@fc.net, e41126@rl.gov, jp107@amtp.cam.ac.uk
In-Reply-To: Your message of "Tue, 10 Jan 1995 13:10:45 EST."
<9501101810.AA08507@rs1.fid.morgan.com>
Date: Wed, 11 Jan 1995 06:19:25 +0000
From: Jon Peatfield <J.S.Peatfield@amtp.cam.ac.uk>
> Xhost actually has one advantage, of a sort, over xauth: users of xhost
> can grant access, and later take that access away. Xauth doesn't permit
> this: there's no way to revoke a key to your display. You've got to
> restart the X server. Once you've given a key to someone, you can't
> take it away. What's needed is a way to dynamically create new,
> different keys for your display, and to be able to tell the X server to
> individually enable and disable them.
I had an idea a while back but no time to implement it. Perhaps some of you
would like to rip it to shreds in front of me and tell my why it stinks of
dead fish.
I'd like to add a new authentication mechanism to X which uses Ident (TAP,
RFC-931 etc), to check that a user is permitted. e.g. a server is given a
list of allowed user/machine pairs by a program like xhost:
(e.g. xhost +fred@jim.jam.org)
When a connection is made from that host the X server checks the Ident ID of
the TCP connection (only works over TCP (though you can probably add something
similar for other transport layers)), and if it matches one in the list
allowed from that host the connection is allowed.
Ident is not supposed to be used for authentication I hear people shout.
However, X connections should really only be made from machines you trust as
otherwise anyone with root access can steal the cookie or pretend to be that
user anyway. I.e. using Ident for this is no worse than admitting that you
must trust the remote host is ok anyway.
As far as I can see in my simple minded way I can't see any attacks on this
which wouldn't also be possible using any other X authentication technique.
The downside is that you can't easily retro-fit this into old X servers such
as dedicated Xterminals and it requires that any host which a user wants to
connect to such a server from needs to run an Ident server.
It might be possible to run a proxy-authenticator on a known trusted machine
for all old Xterminals (adds delay and pain I know). Forcing people to run an
Ident server might cause problems for some types of system.
Ok, what have I missed? Why wouldn't it work, and what it the huge security
hole I didn't see? Anyone got an (constructive) comments?
-- Jon