[17901] in Athena Bugs
Re: sun4 8.3.29: X
daemon@ATHENA.MIT.EDU (Aaron M. Ucko)
Tue Jun 13 20:36:25 2000
To: Jacob Morzinski <jmorzins@mit.edu>
Cc: Brad Thompson <yak@mit.edu>, bugs@mit.edu, jmercado@mit.edu
From: amu@MIT.EDU (Aaron M. Ucko)
Date: 13 Jun 2000 20:35:00 -0400
In-Reply-To: Jacob Morzinski's message of "13 Jun 2000 19:02:09 -0400"
Message-ID: <udlya49qevf.fsf@multics.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
<jmorzins@MIT.EDU> (Jacob Morzinski) writes:
> The INET: entries allow the behavior which you describe. Being
> able to reduce the list to just the LOCAL: entry should solve the
> problem.
No, anyone logged into the machine could still take advantage of even
that entry. AFAIK, the only fix is to require MIT-MAGIC-COOKIE
authentication or the like; IIRC, this approach runs into the problem
that public machines don't have enough unique secret state to generate
good cookies.
--
Aaron M. Ucko, KB1CJC <amu@mit.edu> (finger amu@monk.mit.edu)
