Re: how does root run a graphical prog

To: Debian <debian-user@lists.debian.org>, debian-user-german@lists.debian.org
Cc: Dave Sherohman <esper@sherohman.org>
Subject: Re: how does root run a graphical prog
From: "Karsten M. Self" <kmself@ix.netcom.com>
Date: Wed, 22 May 2002 02:54:45 -0700
Message-id: <[🔎] 20020522095445.GP22402@ix.netcom.com>
In-reply-to: <[🔎] 20020520182914.GB3692@doorstop.net>
References: <[🔎] 20020520234531.A5314@singnet.com.sg> <[🔎] 20020520163922.GA578@secondnature.de> <[🔎] 20020520123606.A606@sherohman.org> <[🔎] 20020520182914.GB3692@doorstop.net>

on Mon, May 20, 2002, Vineet Kumar (debian-user@virtual.doorstop.net) wrote:
> * Dave Sherohman (esper@sherohman.org) [020520 10:49]:
> > On Mon, May 20, 2002 at 06:39:22PM +0200, Kristian Rink wrote:
> > > Something like 'xhost +' basically should
> > > allow anyone (on your system) to connect to X hence to display any
> > > graphical output.
> > 
> > Bzzt!  'xhost +' allows anyone (on any system capable of contacting
> > your system) to connect to X and display any graphical output.  Not
> > good...
> > 
> > If you MUST use xhost, use 'xhost + localhost'.  But using xauth or
> > XAUTHORITY is the Right Way To Do It.
> 
> Thanks Dave! You just pointed out one of the many, many, MANY reasons to
> NEVER USE xhost. The reason you just illustrated: "When you might want
> to do 'xhost +localhost', you might accidentally enter
> 'xhost + localhost', which has the same as effect as 'xhost +'.
> 
> Even if you DID get it "right", 'xhost +localhost' allows anyone on
> localhost to connect to your X server. Probably not what you want,
> especially on a system with many users, or any system with any users you
> don't fully trust (probably every system).
> 
> It's worth noting that the danger isn't just that anyone can display
> apps on your display. In addition to being able to open windows on your
> display, anyone else would be able to destroy any (or all) of
> your windows, view the contents of your screen remotely, log your
> keystrokes, or generate /any/ X event.
> 
> This horse has been beaten to death. Search google and you'll probably
> come up with a kmself rant (TM) about why xhost is bad, along with info
> from plenty of other enlightened individuals.

    http://www.google.com/search?hl=en&q=karsten+self+xauth+merge

...and hit "I'm feeling lucky".

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Hollings:  bought, paid for, but couldn't deliver the CBDTPA:
     http://www.politechbot.com/docs/cbdtpa/hollings.s2048.032102.html

Attachment: pgpNGOkkhiRyN.pgp
Description: PGP signature

Reply to:

References:
- how does root run a graphical prog
  - From: Willy S <spamtrap@bozz.com>
- Re: how does root run a graphical prog
  - From: Kristian Rink <afterimage@gmx.net>
- Re: how does root run a graphical prog
  - From: Dave Sherohman <esper@sherohman.org>
- Re: how does root run a graphical prog
  - From: Vineet Kumar <debian-user@virtual.doorstop.net>

Prev by Date: Re: Strange init
Next by Date: Re: use 'woody' or 'testing' in sources.list?
Previous by thread: Re: how does root run a graphical prog
Next by thread: Re: how does root run a graphical prog
Index(es):
- Date
- Thread