From owner-freebsd-security  Wed Aug 30  6:48:37 2000
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id 00C3C37B422
	for <freebsd-security@FreeBSD.ORG>; Wed, 30 Aug 2000 06:48:34 -0700 (PDT)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA03991;
	Wed, 30 Aug 2000 06:47:17 -0700
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda03989; Wed Aug 30 06:47:01 2000
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.9.3/8.9.1) id GAA29788;
	Wed, 30 Aug 2000 06:47:00 -0700 (PDT)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdk29786; Wed Aug 30 06:46:39 2000
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.11.0/8.9.1) id e7UDkbA84396;
	Wed, 30 Aug 2000 06:46:37 -0700 (PDT)
Message-Id: <200008301346.e7UDkbA84396@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdE84389; Wed Aug 30 06:45:47 2000
X-Mailer: exmh version 2.1.1 10/15/1999
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-OS: FreeBSD 4.1-RELEASE
X-Sender: cy
To: Per Kristian Hove <perhov+/dev/null@math.ntnu.no>
Cc: Johan Danielsson <joda@pdc.kth.se>, cjclark@alum.mit.edu,
	freebsd-security@FreeBSD.ORG
Subject: Re: Disabling xhost(1) Access Control 
In-reply-to: Your message of "Wed, 30 Aug 2000 15:14:46 +0200."
             <Pine.GS4.4.21.0008301504230.29108-100000@martens.math.ntnu.no> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 30 Aug 2000 06:45:45 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <Pine.GS4.4.21.0008301504230.29108-100000@martens.math.ntnu.n
o>, Per
 Kristian Hove writes:
> [Johan Danielsson]
> 
> |  If you want to do that there are at least two places you have to
> |  change the behaviour in programs/Xserver/os/access.c:
> |  
> |  * for the `xhost +' case change ChangeAccessControl(), to only succeed
> |    for the enable case (paranoid people use `xhost -' routinely).
> |  
> |  * for `xhost +host' change AddHost() to your liking (ifdef out
> |    FamilyInternet).
> 
> If you're paranoid, you should also change the default behaviour
> of InvalidHost() [also in access.c] to return 1 instead of 0 if
> AccessEnabled isn't set [if you're running with `xhost +', that
> is]. This is where the access check actually takes place.

A less invasive approach would be to specify -nolisten tcp on your 
Xserver command line.  Users must then set their DISPLAY variable to 
:0, as it uses UNIX Domain Sockets.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message