Date: Wed, 30 Aug 2000 20:34:27 +0100 From: David Pick <D.M.Pick@qmw.ac.uk> To: freebsd-security@FreeBSD.ORG Subject: Re: Disabling xhost(1) Access Control Message-ID: <E13UDcy-000PJR-00@dialup-janus.css.qmw.ac.uk> In-Reply-To: Your message of "Wed, 30 Aug 2000 06:45:45 PDT." <200008301346.e7UDkbA84396@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> A less invasive approach would be to specify -nolisten tcp on your > Xserver command line. Users must then set their DISPLAY variable to > :0, as it uses UNIX Domain Sockets. Good move. In fact, I set up *all* my systems that way by editing the "/usr/X11R6/lib/X11/xdm/Xservers" file. Any X connections to remote machines have to be carried in a SSH tunnel and since they are done that way even the authentication data for the local display doesn't have to leave the local machine. It's still a good idea to make sure no remote clients can do anything nasty to your X display - and there are several things which can be done here. I wonder if there's enough support for this setup to be worth writing a patch to "sysinstall" to have the XFree86 setup ask if "Xservers" should be modified in this way during setup - and which way round should be the default? -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E13UDcy-000PJR-00>