Re: "xauth +", not a good idea...

To: Christian Hudon <chudon@ee.mcgill.ca>
Cc: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: "xauth +", not a good idea...
From: Gernot Bauer <Gernot.Bauer@jk.uni-linz.ac.at>
Date: Sun, 22 Jun 1997 01:11:08 +0200
Message-id: <[🔎] 33AC5F8C.66795262@jk.uni-linz.ac.at>
References: <[🔎] 33ABC132.A28349F3@jk.uni-linz.ac.at> <[🔎] 19970621144819.39830@pianocktail>

Christian Hudon wrote:
> 
> On Jun 21, Gernot Bauer wrote
> > >         Hi,
> > > I recently upgraded my Xfree setup to 3.3 from unstable. But now I
> seem
> > > to have some problems.
> > >        Only the user that runs the xserver (startx) can run apps
> on it
> > > any attempt to run an app by another user is refused. eg below;
> > >
> > ># xhost
> > >
> > >Xlib: connection to ":0.0" refused by server
> > >Xlib: Invalid MIT-MAGIC-COOKIE-1 key
> > >xhost:  unable to open display ":0.0"
> > >#
> >
> > Isnt this a "feature"? Did you try "xhost +"? My root-user also must
> not
> > open windows on my (user-)screen. "xhost +" disables this.
> 
> ... and enables anyone on the Internet to connect to your X server
> and,
> say, stuff the string "rm -rf /" in an open root xterm. Or read
> everything
> you type, inluding passwords.
> 
> Doing "xhosts +" in response to an "Invalid MIT-MAGIC-COOKIE-1 key" is
> pretty much the equivalent of making all files writable by anyone
> ("chmod
> -R ugo+w /") and setting all the passwords to "" in response to a
> "permission denied" error when trying to access a file. Anyone that
> can get
> to your machine can now do pretty much anything they want to it. So,
> unless
> your machine is never connected to any kind of network, it's
> definitely a
> *bad* idea. And the "Invalid MIT-MAGIC-COOKIE-1 key" message that
> other
> users get when trying to connect to your X server is definitely a
> *feature*
> (enclosed in stars) as opposed to a "feature" (enclosed in quotes).
> 
> If you trust everyone who has a login on your machine, do "xhost
> +local:" instead of "xhost +". This will allow only non-network, local
> connections to your X server.
> 
[snip]

Ooops, thanx for these hints. Looks like I should take some more lessons
in "security"-matters...

Gernot
-- 
--------------------------
Gernot Bauer
University of Linz

gbauer@risc.uni-linz.ac.at


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

References:
- Re: Xfree33
  - From: Gernot Bauer <Gernot.Bauer@jk.uni-linz.ac.at>
- "xauth +", not a good idea...
  - From: "Christian Hudon" <chudon@ee.mcgill.ca>

Prev by Date: Re: XTerm-color
Next by Date: /etc/securetty problem
Previous by thread: "xauth +", not a good idea...
Next by thread: xdm 'login incorrect'
Index(es):
- Date
- Thread