Date: Sat, 26 Jun 1999 16:30:56 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz> To: security@FreeBSD.ORG Cc: Robert Watson <robert+freebsd@cyrus.watson.org> Subject: X security (was Re: X and SSH) Message-ID: <Pine.SO4.4.05.9906261604430.24379-100000@nenya> In-Reply-To: <Pine.BSF.3.96.990626070947.339A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 26 Jun 1999, Robert Watson wrote: ... > > I personally like to run incoming tunneled X sessions from under-trusted > hosts in Xnest, but maybe that's just me... :-) Does it give more security? Of course, if you separate your X applications (like netscape) from the untrusted connections, it prevents attackers from tangling i.e. with your netscape (and issueing an saveAs command, for example). But in case the forwarding host is corrupted and the forwarding channel misused, does it give you enough protection? In documentation of remote control of netscape via X display, it says: (http://home.netscape.com/newsref/std/x-remote.html) :: It is important (in general) that everyone be aware of the security :: risks associated with allowing unlimited access to your X server. :: Regardless of whether you use Netscape Navigator, allowing arbitrary :: users and hosts access to your X server is a gaping security hole. If :: hostile forces can connect to your server, it is trivially easy for :: them to execute arbitrary shell commands as you, read and write any of :: your files, and watch every character you type. Where is the hole? And is it same for Xnest? I don't know how can access to X server be misused, but I guess access to Xnest could be misused too. Only it might be a bit more difficult. Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SO4.4.05.9906261604430.24379-100000>