Date: Sat, 26 Feb 2000 13:28:55 +0000 From: Brian Somers <brian@Awfulhak.org> To: "A. Rakukin" <rakukin@mail.ru> Cc: "Brian Somers" <brian@Awfulhak.org>, "Matthew Dillon" <dillon@apollo.backplane.com>, freebsd-questions@FreeBSD.org, freebsd-security@FreeBSD.org, brian@hak.lan.awfulhak.org, brian@hak.lan.awfulhak.org Subject: Re: Re[2]: X authorization Message-ID: <200002261328.NAA38907@hak.lan.Awfulhak.org> In-Reply-To: Message from "A. Rakukin" <rakukin@mail.ru> of "Sat, 26 Feb 2000 16:18:13 %2B0300." <E12Oh6r-000Epu-00@f1.mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > Your assumptions as to 'xhost' are correct. Just setting DISPLAY on
> > > machine B to point to machine A will not give machine B access to
> > > machine A's X display. Machine A must give machine B access, typically
> > > through the 'xhost' command.
> >
> > I wouldn't say ``typically''. Using xhost is bad as it gives anybody
> > on the given host access to your display. Xauth is the correct way
> > to do it. It stuffs an authentication key in the .Xauthority file
> > allowing access only to people with access to the .Xauthority file.
> > Check the xauth man page for the magic incantation.
>
> I know that xhost is insecure. But it worked earlier!
> And now I have a situation as follows: I merely start X (via xdm) on host A,
> no windows/commands there, then go to host B,
> type `export DISPLAY=A:0; xterm' and see xterm window
> opened on the display of A! Then test `xhost' on A and see no hosts allowed...
>
> I think something has been changed in the configuration casually,
> and would be grateful for any advice what might it be.
> I loked through Xsessions etc, but have not found anything,
> unfortunately...
Well, if the person executing the X program (on B) either has a
correct .Xauthority or a xhost permit, they're allowed display. If
they haven't got xhost authority, I would think their .Xauthority
must be valid.
[.....]
> In any case, I would like to forbid unauthorized access at first!
This should be the default (and is for me).
[.....]
> Thanks to all,
> Alex
--
Brian <brian@Awfulhak.org> <brian@[uk.]FreeBSD.org>
<http://www.Awfulhak.org>; <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002261328.NAA38907>