Date: Sun, 13 Sep 1998 16:19:55 -0500 (CDT) From: Igor Roshchin <igor@physics.uiuc.edu> To: security@FreeBSD.ORG Cc: cschuber@uumail.gov.bc.ca Subject: X-security Message-ID: <199809132119.QAA15620@alecto.physics.uiuc.edu>
next in thread | raw e-mail | index | archive | help
> > That is why doing an xhost + or even and xhost hostname even to hosts > that you think you trust is so dangerous. It is easy for someone to > inject some "keystrokes" into an Xterm to get a root shell on a host > that one is logged into. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Open Systems Group Internet: cschuber@uumail.gov.bc.ca > ITSD Cy.Schubert@gems8.gov.bc.ca > Government of BC > May be I am wrong, but xterm (when correctly configured, e.g.: no emulation enabled) will not allow to do that. am I blindly wrong ? The much higher danger in having xhost set to allow outside, or even inside connections - possibility of "steeling" your keystrokes. AFAIK, XFree86 does allow to disable access to your DISPLAY even from the localhost by other users (E.g. on SGIs one can always run any program with DISPLAY set local to localhost:0, and you can not disable that). Regards, IgoR To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809132119.QAA15620>