From owner-freebsd-security  Wed Aug 30  6:14:53 2000
Delivered-To: freebsd-security@freebsd.org
Received: from martens.math.ntnu.no (martens.math.ntnu.no [129.241.15.250])
	by hub.freebsd.org (Postfix) with SMTP id 5BED437B43C
	for <freebsd-security@FreeBSD.ORG>; Wed, 30 Aug 2000 06:14:48 -0700 (PDT)
Received: (qmail 5879 invoked by uid 29119); 30 Aug 2000 13:14:46 -0000
Date: Wed, 30 Aug 2000 15:14:46 +0200 (MET DST)
From: Per Kristian Hove <perhov+/dev/null@math.ntnu.no>
X-Sender: perhov@martens.math.ntnu.no
To: Johan Danielsson <joda@pdc.kth.se>
Cc: cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG
Subject: Re: Disabling xhost(1) Access Control
In-Reply-To: <xof8ztfm3y3.fsf@blubb.pdc.kth.se>
Message-ID: <Pine.GS4.4.21.0008301504230.29108-100000@martens.math.ntnu.no>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

[Johan Danielsson]

|  If you want to do that there are at least two places you have to
|  change the behaviour in programs/Xserver/os/access.c:
|  
|  * for the `xhost +' case change ChangeAccessControl(), to only succeed
|    for the enable case (paranoid people use `xhost -' routinely).
|  
|  * for `xhost +host' change AddHost() to your liking (ifdef out
|    FamilyInternet).

If you're paranoid, you should also change the default behaviour
of InvalidHost() [also in access.c] to return 1 instead of 0 if
AccessEnabled isn't set [if you're running with `xhost +', that
is]. This is where the access check actually takes place.


-- 
Per Kristian Hove
Principal engineer
Dept. of Mathematical Sciences
Norwegian University of Science and Technology




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message