[15357] in Athena Bugs
Re: sgi 8.1.7: xlogin/dm
daemon@ATHENA.MIT.EDU (Craig Fields)
Mon Aug 4 17:16:04 1997
Date: Mon, 4 Aug 1997 17:16:01 -0400
From: Craig Fields <cfields@MIT.EDU>
To: jhawk@MIT.EDU
Cc: kcr@MIT.EDU, mbarker@MIT.EDU, bugs@MIT.EDU
> This is the way Athena workstations have been configured in the past.
> It's certainly the way Athena Solaris machines are configured.
It's in code in dm. One reason SGIs don't have it is because they do
not use dm. However, its being implemented in dm is a hack - there
is still a conceivable window of vulnerability between the time that
the X server starts and the time hosts are removed from the ACL by
dm. It should really be possible to start the X server with the ACL
empty, but it is not.
Because Irix's xdm is used to start the X server, we don't have very
fast access to clear out the ACL.
> It's also quite clearly the Right Approach (tm).
It's the Right Approach to The Problem, yes. However, I was not too
motivated to do anything about it on the SGI because (a) to do it
right involves hacking the vendor xdm, and I'm not convinced this is
justified since (b) I don't have evidence the related hole exists and
is exploitable on the SGI. If you happen to have (b), let me know.
Craig
