From owner-freebsd-security Tue Aug 29 23:44:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 1EBC937B43C for ; Tue, 29 Aug 2000 23:44:53 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 29 Aug 2000 23:43:51 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id XAA10276 for freebsd-security@freebsd.org; Tue, 29 Aug 2000 23:44:51 -0700 (PDT) (envelope-from cjc) Date: Tue, 29 Aug 2000 23:44:51 -0700 From: "Crist J . Clark" To: freebsd-security@freebsd.org Subject: Disabling xhost(1) Access Control Message-ID: <20000829234451.G62475@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I want users to use user-level X access controls, that is, xauth(1) and the magic cookies. I do NOT want people using xhost(1) access controls. FreeBSD's XFree86 (unlike so many other X dists) defaults to enabling xauth. The problem is, it does not prevent lusers from still doing things like put 'xhost +' in their .login and defeating the system. (Grrrr...) I've been searching and cannot find a way to disable xhost(1) level access. And I mean disabling as in defaulting to everything locked out as opposed to defaulting to wide open. If a user were to 'xhost +' it would not open things up. Is there such a way to do this (aside 'rm /usr/bin/xhost' and setting all user writable filesystems noexec)? This is for xdm(1) setups and not necessarily xinit(1). -- Crist J. Clark cjclark@alum.mit.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message