Re: a question (stupid?)

To: debian-user@lists.debian.org
Subject: Re: a question (stupid?)
From: Mike Miller <miller5@uiuc.edu>
Date: 18 Mar 1997 08:59:55 -0600
Message-id: <[🔎] t97mj55jpw.fsf@uinpluxe.npl.uiuc.edu>
In-reply-to: dpk's message of Mon, 17 Mar 1997 15:16:29 -0500 (EST)
References: <[🔎] Pine.SOL.3.91.970317151206.24622D-100000@scully>

This is a related comment on X security.

>>>>> "dpk" == dpk  <dpk@egr.msu.edu> writes:
    > If you are trying to run X applications between to machines
    > you have to set the display and xhost variables.

Not to be overly picky here, but xhost is not exactly a
"variable".  For details, see the xhost man page or the X
security faq.  More importantly, I think it's worth pointing out
that xhost does more than what you pointed out.  In particular,
it enables access to the local display for /all/ users on the
remote machine.

[...]
    > <prompt@my.machine> xhost remote.machine 
    > remote.machine being added to access control list

    > Then you will be able to run X applications from the remote
           ^^^ = everybody on remote machine
    > machine having the display/interface to your X windows
    > environment.

If you are working with single user machines, this may not be a
problem, but when your work on multi-user systems, you may not
want to open yourself up to this.

A somewhat more secure way of handling display access is to use
xauth.  If the display that you want to use has been setup using
xdm, you can get a "cookie" with the xauth command, i.e.

  host> xauth list $DISPLAY
  host.some.place.blah:0  MIT-MAGIC-COOKIE-1  9087132

The cookie value will vary - normally it's longer.  On a remote
host, you can add this cookie (authorization record) to the
authority file on the remote host:

  otherhost> xauth add host.some.place.blah:0  MIT-MAGIC-COOKIE-1  9087132

This provides access authorization for the remote host to uyse
the display host.some.place.blah:0, but only for the user who has
the correct record in her authorization file.

Regards, Mike

P.S. Suggested readings: xauth, xhost, Xsecurity man pages (I
don't think that the Xsecurity man page is not part of the
standard debian distribution) and the X Security faq available at
an archive near you.

P.P.S.  In case you have not logged in using xdm, you can make
your own cookie.  Just make sure that it is fairly unique and
private (that is, stored only in your authorization file). I use
the following alias in my .bashrc:

  alias bake-cookie=
    "xauth add ${HOST}:0 . `date +"%y%m%d%H%M%S"``date +"%y%m%d%H%M%S"`"

-- 
Michael A. Miller                              miller5@uiuc.edu
  Nuclear Physics Lab, University of Illinois, Urbana-Champaign
  PGP public key available on request

Reply to:

References:
- Re: a question (stupid?)
  - From: dpk <dpk@egr.msu.edu>

Prev by Date: Re: SB16 with waveblaster daughterboard. What setup ?
Next by Date: SCSI Ultra/Wide support
Previous by thread: Re: a question (stupid?)
Next by thread: Re: a question (stupid?)
Index(es):
- Date
- Thread