on Fri, Jul 12, 2002, Shri Shrikumar (shri@urbyte.com) wrote: > On Fri, 2002-07-12 at 03:00, Gordon Paynter wrote: > <snip> > > > > > So here is what happens. I log in as user1 and run mozilla. Later, I > > open a new window and log in there as user2 (using the same machine > > and the same DISPLAY). As user2, I run "netscape" at the > > command-line. Rather than starting netscape, a new window is launched > > for user1 from user2's process of Mozilla. > > > > Obviously, this is bad. Suppose user2 maliciously sets their display > > to some other machine, and runs netscape. Netscape has user1's > > Mozilla launch a new window on the remote machine, and user2 has > > access to user1's stored passwords etc. > > > Can anyone else verify this behaviour? I think this is probably a > > netscape bug (it should never have attempted to use another user's > > process) and a Mozilla bug (it should never have launched a window for > > the other user). Either that, or its some sort of misconfiguration on > > my part. Any thoughts? > > Yes. Kind Of. On the same display, if I spawn two terminals with two > different users and spawn mozilla from each, the second instance is run > as the first user. > > This is however, only after I did > > % xhost + DON'T *** EVER *** DO THIS. You're opening your entire X session up to any system on the planet (or off it) which can network to it. The problem stated above has nothing to do with this proposed solution. Peace. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Use a personal CSS stylesheet to promote Web usability: http://kmself.home.netcom.com/Download/UserContent.css http://kmself.home.netcom.com/Download/test-css.html
Attachment:
pgpjJQSOZ08ly.pgp
Description: PGP signature