[608] in bugtraq
Re: Xwindows security?
daemon@ATHENA.MIT.EDU (Doug McLaren)
Wed Jan 11 12:46:16 1995
Date: Wed, 11 Jan 1995 09:24:12 -0600
From: Doug McLaren <dougmc@comco.com>
Apparently-To: bugtraq@fc.net
In article <m0rRwP6-0000o1C%kro.amtp.cam.ac.uk@damtp.cambridge.ac.uk>,
Jon Peatfield  <J.S.Peatfield@amtp.cam.ac.uk> wrote:
| I'd like to add a new authentication mechanism to X which uses Ident (TAP, 
| RFC-931 etc), to check that a user is permitted.  e.g. a server is given a 
| list of allowed user/machine pairs by a program like xhost:
| 
|   (e.g. xhost +fred@jim.jam.org)
[ ... ]
| Ident is not supposed to be used for authentication I hear people shout.  
| However, X connections should really only be made from machines you trust as 
| otherwise anyone with root access can steal the cookie or pretend to be that 
| user anyway.  I.e. using Ident for this is no worse than admitting that you 
| must trust the remote host is ok anyway.
Yup.  People are gonna start quoting the RFC on you here, pointing at
you and calling you 'Sinner' ...
But the bottom line is that ident is better than nothing -
   xhost fred@jim.jam.org
is at *least* as good as
      xhost jim.jam.org
It would also be useful if you could combine xhost and xauth - have a
key that's valid only from certain addresses.  The ability to revoke
keys would indeed also be useful ...
Other things that would generally improve X security I think :
 - syslog logging of failed connections, or for the paranoid, all
   connections.  Right now, X11R5 and 6's X server have a '-audit' option
   that allows you to make it print, to STDERR, some log info.  '-audit
   1', the default, lists failed connections only.  I believe '-audit 2'
   lists all connections.  But the problem with this is that it goes to
   STDERR, which is often redirected to /dev/null or just not watched.
   Making it so it's not ignored is not a trivial endeavor.
   Has anybody written a patch to X11R6 to move this logging from STDERR
   to syslogd?  I'd like to do this, but haven't taken the time to see
   how hard it would be (shouldn't be very ...)
 - Default startup scripts that use xauth - excellent idea!
   At school, very few people use xauth - they just use what was given
   to them, and it works, and they don't really care much past that.  If
   they were given stuff that used xauth from day one, they'd use it, and
   it would work, and they wouldn't care much past that either.
 - The ability to give a 'limited power' X key/authorization - this
   would probably NOT be easy to do, but would be very helpful when you
   want to let somebody show you something on your X screen, but don't
   want to let them take over your screen entirely.