[618] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Xwindows[sic] security?

daemon@ATHENA.MIT.EDU (der Mouse)
Wed Jan 11 16:53:57 1995

Date: Wed, 11 Jan 1995 14:30:47 -0500
From: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
To: bugtraq@fc.net

> But the bottom line is that ident is better than nothing -

>    xhost fred@jim.jam.org
> is at *least* as good as
>       xhost jim.jam.org

Not quite.  The former gives a sense of security that may be
unjustified.  While _you_ will not be taken in, joe-user who doesn't
really understand what the deal is with xhost to begin with quite
likely will be.

> It would also be useful if you could combine xhost and xauth - have a
> key that's valid only from certain addresses.  The ability to revoke
> keys would indeed also be useful ...

> Other things that would generally improve X security I think :

>  - The ability to give a 'limited power' X key/authorization - this
>    would probably NOT be easy to do, but would be very helpful when
>    you want to let somebody show you something on your X screen, but
>    don't want to let them take over your screen entirely.

Here again, xconns (the front-end program I referred to in a previous
note) could be useful.  Not as it stands, perhaps, but with a little
hacking to make it monitor the X traffic this could be done.  (It would
also have to be hacked on to make it do something with the
authenticator passed by the real client, which it currently ignores.)

I've gotten enough people asking me about this front-end that I'll note
here: yes, it's available, but it's not in the form of a cleaned-up
distribution, so you may have a little work to do to make it compile.
Anonymous ftp to collatz.mcrcim.mcgill.edu (132.206.78.1), cd /X, dir
xconns*, and fetch whatever looks interesting.  (Please ask for .gz
files if you have gunzip - be kind to my poor slow netlink....)

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu

home help back first fref pref prev next nref lref last post