From owner-freebsd-questions Sat Feb 26 5:37:19 2000 Delivered-To: freebsd-questions@freebsd.org Received: from awfulhak.org (dynamic-117.max4-du-ws.dialnetwork.pavilion.co.uk [212.74.9.245]) by hub.freebsd.org (Postfix) with ESMTP id BE6A837B960; Sat, 26 Feb 2000 05:37:10 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@shift.lan.awfulhak.org [172.16.0.12]) by awfulhak.org (8.9.3/8.9.3) with ESMTP id NAA59097; Sat, 26 Feb 2000 13:28:55 GMT (envelope-from brian@hak.lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id NAA38907; Sat, 26 Feb 2000 13:28:55 GMT (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200002261328.NAA38907@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: "A. Rakukin" Cc: "Brian Somers" , "Matthew Dillon" , freebsd-questions@FreeBSD.org, freebsd-security@FreeBSD.org, brian@hak.lan.awfulhak.org, brian@hak.lan.awfulhak.org Subject: Re: Re[2]: X authorization In-Reply-To: Message from "A. Rakukin" of "Sat, 26 Feb 2000 16:18:13 +0300." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 26 Feb 2000 13:28:55 +0000 From: Brian Somers Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > > Your assumptions as to 'xhost' are correct. Just setting DISPLAY on > > > machine B to point to machine A will not give machine B access to > > > machine A's X display. Machine A must give machine B access, typically > > > through the 'xhost' command. > > > > I wouldn't say ``typically''. Using xhost is bad as it gives anybody > > on the given host access to your display. Xauth is the correct way > > to do it. It stuffs an authentication key in the .Xauthority file > > allowing access only to people with access to the .Xauthority file. > > Check the xauth man page for the magic incantation. > > I know that xhost is insecure. But it worked earlier! > And now I have a situation as follows: I merely start X (via xdm) on host A, > no windows/commands there, then go to host B, > type `export DISPLAY=A:0; xterm' and see xterm window > opened on the display of A! Then test `xhost' on A and see no hosts allowed... > > I think something has been changed in the configuration casually, > and would be grateful for any advice what might it be. > I loked through Xsessions etc, but have not found anything, > unfortunately... Well, if the person executing the X program (on B) either has a correct .Xauthority or a xhost permit, they're allowed display. If they haven't got xhost authority, I would think their .Xauthority must be valid. [.....] > In any case, I would like to forbid unauthorized access at first! This should be the default (and is for me). [.....] > Thanks to all, > Alex -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message