From owner-freebsd-security  Sat Jun 26  7:35:43 1999
Delivered-To: freebsd-security@freebsd.org
Received: from alfik.ms.mff.cuni.cz (alfik.ms.mff.cuni.cz [195.113.19.71])
	by hub.freebsd.org (Postfix) with ESMTP id 182AB14D8A
	for <security@FreeBSD.ORG>; Sat, 26 Jun 1999 07:35:40 -0700 (PDT)
	(envelope-from mencl@nenya.ms.mff.cuni.cz)
Received: from nenya.ms.mff.cuni.cz by alfik.ms.mff.cuni.cz; (8.8.8/v1.00/19990210.0854)
	id QAA01035; Sat, 26 Jun 1999 16:35:27 +0200 (MET DST)
Received: from localhost by nenya.ms.mff.cuni.cz (SMI-8.6/SMI-SVR4)
	id QAA24460; Sat, 26 Jun 1999 16:30:56 +0200
Date: Sat, 26 Jun 1999 16:30:56 +0200 (MET DST)
From: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>
X-Sender: mencl@nenya
To: security@FreeBSD.ORG
Cc: Robert Watson <robert+freebsd@cyrus.watson.org>
Subject: X security (was Re: X and SSH)
In-Reply-To: <Pine.BSF.3.96.990626070947.339A-100000@fledge.watson.org>
Message-ID: <Pine.SO4.4.05.9906261604430.24379-100000@nenya>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 26 Jun 1999, Robert Watson wrote:

...

> 
> I personally like to run incoming tunneled X sessions from under-trusted
> hosts in Xnest, but maybe that's just me... :-)


   Does it give more security? 

   Of course, if you separate your X applications (like netscape) from
the untrusted connections, it prevents attackers from tangling i.e. with 
your netscape (and issueing an saveAs command, for example).

   But in case the forwarding host is corrupted and the forwarding
channel misused, does it give you enough protection?

In documentation of remote control of netscape via X display, it says:

(http://home.netscape.com/newsref/std/x-remote.html)

:: It is important (in general) that everyone be aware of the security
:: risks associated with allowing unlimited access to your X server.
:: Regardless of whether you use Netscape Navigator, allowing arbitrary
:: users and hosts access to your X server is a gaping security hole. If
:: hostile forces can connect to your server, it is trivially easy for
:: them to execute arbitrary shell commands as you, read and write any of
:: your files, and watch every character you type.


    Where is the hole? And is it same for Xnest? 

I don't know how can access to X server be misused, but I guess access
to Xnest could be misused too. Only it might be a bit more difficult.


				Vladimir Mencl



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message