From owner-freebsd-security  Wed Mar 21  8:16:56 2001
Delivered-To: freebsd-security@freebsd.org
Received: from relay.ioffe.rssi.ru (relay.ioffe.rssi.ru [194.85.224.33])
	by hub.freebsd.org (Postfix) with ESMTP id D340F37B73D
	for <security@freebsd.org>; Wed, 21 Mar 2001 08:16:43 -0800 (PST)
	(envelope-from kopts@astro.ioffe.rssi.ru)
Received: from astro.ioffe.rssi.ru (astro.ioffe.rssi.ru [194.85.229.130])
	by relay.ioffe.rssi.ru (8.9.1/8.9.1) with ESMTP id TAA17877;
	Wed, 21 Mar 2001 19:15:00 +0300 (MSK)
Received:  by astro.ioffe.rssi.ru (8.9.3/Clnt-2.14-AS-eef)
	id TAA16762; Wed, 21 Mar 2001 19:14:54 +0300 (MSK)
Date: Wed, 21 Mar 2001 19:14:54 +0300 (MSK)
From: Alexey Koptsevich <kopts@astro.ioffe.rssi.ru>
To: "Crist J . Clark" <cjclark@reflexnet.net>
Cc: security@freebsd.org
Subject: Re: Disabling xhost(1) Access Control
In-Reply-To: <Pine.BSF.4.21.0103211908570.3763-100000@astro.ioffe.rssi.ru>
Message-ID: <Pine.BSF.4.21.0103211909180.3763-100000@astro.ioffe.rssi.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Hi Christ,

I also think about disabling xhost and wonder which solution have you
chosen -- modifying Xserver source offered later in the thread? Actually,
"-nolisten tcp" is a nice idea, but I would like X to run from the server
on all "Xterminals", and of course "X -query" fails that way...

Thanks,
Alex



> I want users to use user-level X access controls, that is, xauth(1)
> and the magic cookies. I do NOT want people using xhost(1) access
> controls.
> 
> FreeBSD's XFree86 (unlike so many other X dists) defaults to enabling
> xauth. The problem is, it does not prevent lusers from still doing
> things like put 'xhost +' in their .login and defeating the
> system. (Grrrr...)
> 
> I've been searching and cannot find a way to disable xhost(1) level
> access. And I mean disabling as in defaulting to everything locked out
> as opposed to defaulting to wide open. If a user were to 'xhost +' it
> would not open things up.
> 
> Is there such a way to do this (aside 'rm /usr/bin/xhost' and setting
> all user writable filesystems noexec)? This is for xdm(1) setups and
> not necessarily xinit(1).
> -- 
> Crist J. Clark                           cjclark@alum.mit.com
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 
> 
> 
> 
> 




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message