[3833] in testers
Re: xauth
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Jul 23 03:38:54 1998
To: Jacob Morzinski <jmorzins@MIT.EDU>
Cc: testers@MIT.EDU
In-Reply-To: Your message of "Thu, 23 Jul 1998 03:09:52 EDT."
<Pine.LNX.3.96L.980723024518.5278A-100000@cutter-john.MIT.EDU>
Date: Thu, 23 Jul 1998 03:38:09 EDT
From: Greg Hudson <ghudson@MIT.EDU>
Unless I'm confused, Solaris 2.6 did upgrade the basis of its
Openwindows stuff to X11R6. So it's not too surprising to see new
behavior.
We would like to allow connections only from "LOCAL:", but it doesn't
seem to be easy to do that. Either xhost or the X server likes to put
INET:hostname and INET:localhost in the access control list, rendering
the machine vulnerable to remote TCP spoofing attacks for no good
reason. Very frustrating.
(Annoyingly, I cannot find the code anywhere in the NetBSD 1.3.2 X
source to enforce access for those INET entries, but NetBSD 1.3.2
seems to have the same behavior as every other platform.)
