From owner-freebsd-security Wed Aug 30 12:34:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id D3F1737B43E for ; Wed, 30 Aug 2000 12:34:39 -0700 (PDT) Received: from dialup-janus.css.qmw.ac.uk ([138.37.11.110]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 13UDd2-0002L0-00; Wed, 30 Aug 2000 20:34:32 +0100 Received: from david by dialup-janus.css.qmw.ac.uk with local (Exim 2.12 #1) id 13UDcy-000PJR-00; Wed, 30 Aug 2000 20:34:28 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: freebsd-security@FreeBSD.ORG Subject: Re: Disabling xhost(1) Access Control In-reply-to: Your message of "Wed, 30 Aug 2000 06:45:45 PDT." <200008301346.e7UDkbA84396@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 30 Aug 2000 20:34:27 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > A less invasive approach would be to specify -nolisten tcp on your > Xserver command line. Users must then set their DISPLAY variable to > :0, as it uses UNIX Domain Sockets. Good move. In fact, I set up *all* my systems that way by editing the "/usr/X11R6/lib/X11/xdm/Xservers" file. Any X connections to remote machines have to be carried in a SSH tunnel and since they are done that way even the authentication data for the local display doesn't have to leave the local machine. It's still a good idea to make sure no remote clients can do anything nasty to your X display - and there are several things which can be done here. I wonder if there's enough support for this setup to be worth writing a patch to "sysinstall" to have the XFree86 setup ask if "Xservers" should be modified in this way during setup - and which way round should be the default? -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message