Date: Sun, 13 Sep 1998 21:07:59 -0600 From: Wes Peters <wes@softweyr.com> To: Igor Roshchin <igor@physics.uiuc.edu> Cc: security@FreeBSD.ORG Subject: Re: X-security Message-ID: <35FC888F.89EF324C@softweyr.com> References: <199809132119.QAA15620@alecto.physics.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Igor Roshchin wrote: > > AFAIK, XFree86 does allow to disable access to your DISPLAY > even from the localhost by other users > (E.g. on SGIs one can always run any program with DISPLAY set local to > localhost:0, and you can not disable that). You're right. By default, XFree86 uses "MIT MAGIC COOKIE" authen- tication; when the server starts it creates a .Xauthority file in your home directory. Anyone who can read this file will still be able to connect to your X server -- the root account on your machine, for instance. Try it on your system: login as root and try xdpyinfo; it will fail saying # export DISPLAY=:0 # xdypinfo Xlib: connection to ":0.0" refused by server Xlib: Client is not authorized to connect to Server xdpyinfo: unable to open display ":0". Now try it again, specifying YOUR Xauthority file: # export XAUTHORITY=~wes/.Xauthority # xdpyinfo name of display: :0.0 version number: 11.0 vendor string: The XFree86 Project, Inc vendor release number: 3320 maximum request size: 4194300 bytes ... I use this at work, where I am typically logged onto one or more large server machines from my workstation. My .profile on the server machines copies over my current .Xauthority file whenever I login, allowing me access to the workstation display. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35FC888F.89EF324C>