[3878] in testers
Re: exmh problem?
daemon@ATHENA.MIT.EDU (John Hawkinson)
Tue Aug 18 06:00:44 1998
Date: Tue, 18 Aug 1998 06:00:36 -0400
To: Greg Hudson <ghudson@MIT.EDU>
Cc: testers@MIT.EDU
In-Reply-To: "[3855] in testers"
From: John Hawkinson <jhawk@MIT.EDU>
[ I was somehow reminded of this tonight... ]
| Date: Wed, 29 Jul 1998 12:41:26 EDT
| Unfortunately, I don't think I can fix this problem for a patch
| release. It might break software which depends on being able to
| contact the X server on hostname:0.0.
Isn't any such software horribly broken anyhow? There are known
security holes for this condition, which is why Athena 7.x and 8.1
bothered to remove them from the access list... (except for Indy's)
I suppose it's possible that we sprouted applications in 8.2 so far
that are dependant upon this behavior, but it seems like security
should be a lot more important than a few poorly-behaved applications.
I spent some time tonight and here's a script you can run as root with
the pid of the X server as the first argument that will patch the
running X server such that you can remove localhost and the ip address
from the access-list with xauth. It currently lives in
/mit/jhawk/tmp/nolocal; it's clearly not a paragon of clarity might
potentially be a target of a symlink-based attack because it writes to
a guessable filename in /tmp. On the other hand, it's not being
submitted for review.
On the gripping hand, I do think that this is an issue we should be
taking to Sun.
This code was derived from inspection of the X11R6 sources principally
/mit/x11r6/src/xc/programs/Xserver/os/access.c.
--jhawk
#!/bin/sh
#
# nolocal
# John Hawkinson, <jhawk@MIT.EDU>, 18 August 1998
#
# Patch the 'selfhosts' list to not include the family
# inet interfaces, so thatthey can be easily
# removed from the X access control list.
#
# This probably should be followed by
# xhost -localhost -`hostname`
file=/usr/openwin/bin/Xsun
script=/tmp/nl$$.nxt
pid=$1
# Variables:
# HOST **g Pointer the pointer to the next HOST* in the chain
# HOST *f Pointer to the next HOST* in the chain
# HOST *h Pointer to the next of the next HOST*
# e.g.: g -> f -> { data, data, data, h }
#
# This recursive macro sets g=h if the entry is one we don't
# wish to keep, so it may be removed. If we removed an entry,
# we need to reexamine it's parent.
cat > $script << EOF
.>g
*<g>f
<f+8>h
<g/W(#((*<f)&ffff0000)*(*<h)+(##((*<f)&ffff0000)*(*<g)))
(#((*<f)&ffff0000)*(<g)+(##((*<f)&ffff0000)*((*<g)+8)))>h
<h,(##*<h)\$<${script}
EOF
adb $file << EOF
0t${pid}:A
selfhosts\$<${script}
:R
EOF
