Date: Wed, 30 Aug 2000 00:53:52 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: freebsd-questions@freebsd.org Cc: cjclark@alum.mit.edu, freebsd-security@freebsd.org Subject: Re: Disabling xhost(1) Access Control Message-ID: <20000830005352.I62475@149.211.6.64.reflexcom.com> In-Reply-To: <3799.967621138@axl.fw.uunet.co.za>; from sheldonh@uunet.co.za on Wed, Aug 30, 2000 at 09:38:58AM %2B0200 References: <20000829234451.G62475@149.211.6.64.reflexcom.com> <3799.967621138@axl.fw.uunet.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 30, 2000 at 09:38:58AM +0200, Sheldon Hearn wrote:
>
> On Tue, 29 Aug 2000 23:44:51 MST, "Crist J . Clark" wrote:
>
> > Is there such a way to do this (aside 'rm /usr/bin/xhost' and setting
> > all user writable filesystems noexec)? This is for xdm(1) setups and
> > not necessarily xinit(1).
>
> I think that this question was more appropriate to the freebsd-questions
> mailing list.
It'd be best on an X list, but I've not found one with enough
signal-to-noise or enough baseline signal.
> The answer to your question lies in the Xserver(1) manual page, in the
> form of the -ac option.
No, that is precisely the behavior I do not want.
-ac disables host-based access control mechanisms.
Enables access by any host, and permits any host
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
to modify the access control list. Use with
extreme caution. This option exists primarily for
running test suites remotely.
Xserver(1) and Xsecurity(1) talk about how to use xauth over xhost,
but not how to lock out use of xhost.
--
Crist J. Clark cjclark@alum.mit.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000830005352.I62475>