on Fri, Jul 12, 2002, Shri Shrikumar (shri@urbyte.com) wrote:
> On Fri, 2002-07-12 at 03:00, Gordon Paynter wrote:
> <snip>
>
> >
> > So here is what happens. I log in as user1 and run mozilla. Later, I
> > open a new window and log in there as user2 (using the same machine
> > and the same DISPLAY). As user2, I run "netscape" at the
> > command-line. Rather than starting netscape, a new window is launched
> > for user1 from user2's process of Mozilla.
> >
> > Obviously, this is bad. Suppose user2 maliciously sets their display
> > to some other machine, and runs netscape. Netscape has user1's
> > Mozilla launch a new window on the remote machine, and user2 has
> > access to user1's stored passwords etc.
>
> > Can anyone else verify this behaviour? I think this is probably a
> > netscape bug (it should never have attempted to use another user's
> > process) and a Mozilla bug (it should never have launched a window for
> > the other user). Either that, or its some sort of misconfiguration on
> > my part. Any thoughts?
>
> Yes. Kind Of. On the same display, if I spawn two terminals with two
> different users and spawn mozilla from each, the second instance is run
> as the first user.
>
> This is however, only after I did
>
> % xhost +
DON'T *** EVER *** DO THIS. You're opening your entire X session up to
any system on the planet (or off it) which can network to it.
The problem stated above has nothing to do with this proposed solution.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Use a personal CSS stylesheet to promote Web usability:
http://kmself.home.netcom.com/Download/UserContent.css
http://kmself.home.netcom.com/Download/test-css.html
Attachment:
pgpjJQSOZ08ly.pgp
Description: PGP signature