From owner-freebsd-security  Wed Aug 30  3:38:21 2000
Delivered-To: freebsd-security@freebsd.org
Received: from blubb.pdc.kth.se (blubb.pdc.kth.se [130.237.221.147])
	by hub.freebsd.org (Postfix) with ESMTP id CCE1937B42C
	for <freebsd-security@freebsd.org>; Wed, 30 Aug 2000 03:38:18 -0700 (PDT)
Received: from joda by blubb.pdc.kth.se with local (Exim 3.13 #1)
	id 13U5Dg-0000Us-00; Wed, 30 Aug 2000 12:35:48 +0200
To: cjclark@alum.mit.edu
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Disabling xhost(1) Access Control
References: <20000829234451.G62475@149.211.6.64.reflexcom.com>
From: joda@pdc.kth.se (Johan Danielsson)
Date: 30 Aug 2000 12:35:48 +0200
In-Reply-To: "Crist J . Clark"'s message of "Tue, 29 Aug 2000 23:44:51 -0700"
Message-ID: <xof8ztfm3y3.fsf@blubb.pdc.kth.se>
Lines: 20
User-Agent: Gnus/5.0803 (Gnus v5.8.3) Emacs/20.5
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

"Crist J . Clark" <cjclark@reflexnet.net> writes:

> Is there such a way to do this (aside 'rm /usr/bin/xhost' and
> setting all user writable filesystems noexec)?

Not without recompiling the Xserver.

If you want to do that there are at least two places you have to
change the behaviour in programs/Xserver/os/access.c:

* for the `xhost +' case change ChangeAccessControl(), to only succeed
  for the enable case (paranoid people use `xhost -' routinely).

* for `xhost +host' change AddHost() to your liking (ifdef out
  FamilyInternet).

I don't know if the FreeBSD xsrc tree differs from what I have, but I
don't think so.

/Johan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message