[613] in bugtraq
Re: Xwindows security?
daemon@ATHENA.MIT.EDU (Jon Peatfield)
Wed Jan 11 14:48:23 1995
To: rens@imsi.com
Cc: jp107@amtp.cam.ac.uk, bugtraq@fc.net
In-Reply-To: Your message of "Wed, 11 Jan 1995 12:00:48 EST."
<9501111700.AA20505@lorax.imsi.com>
Date: Wed, 11 Jan 1995 17:20:36 +0000
From: Jon Peatfield <J.S.Peatfield@amtp.cam.ac.uk>
(2nd attempt, 1st one had finger trouble.)
> Jon> One trick you can do with this is to get the X server to run
> Jon> through all current windows and perform the check again on
> Jon> their existing connection based on the current rules. A server
>
> This is a decent idea, though you'd have to keep state about the user
> associated with the display connection in the server. If you're going
> to be keeping this kind of information in the server on a
> per-connection basis, you may as well keep some sort of token or
> cookie
You have a choice here. Either cache the information on a per connection
basis or rescan all connections. (For each connection you know which host it
is to (stored in the TCP layer) and you can just do the Pident lookup again.)
Personally I'd prefer to cache the values, memory is cheaper than network
bandwidth :-)
Yes you could keep a (cookie,host) pair per connection instead but then you
still have to distribute them to each host. Cookies work well with NFS shared
home directories in small clusters of trusted machines and other cases where
you don't have to shunt them over the network. Using Pident saves the cookie
pushing and provides most of the features of (cookie,host) pairs.
Yes it doesn't work in all cases. E.g. X over DecNet, but I'm sure people can
invent tricks to do similar lookups. (Unix-Domain-Sockets can be done for
example by a daemon which looks to see who has the other end open.)
-- Jon
