Date: Sun, 13 Sep 1998 21:07:59 -0600 From: Wes Peters <wes@softweyr.com> To: Igor Roshchin <igor@physics.uiuc.edu> Cc: security@FreeBSD.ORG Subject: Re: X-security Message-ID: <35FC888F.89EF324C@softweyr.com> References: <199809132119.QAA15620@alecto.physics.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Igor Roshchin wrote:
>
> AFAIK, XFree86 does allow to disable access to your DISPLAY
> even from the localhost by other users
> (E.g. on SGIs one can always run any program with DISPLAY set local to
> localhost:0, and you can not disable that).
You're right. By default, XFree86 uses "MIT MAGIC COOKIE" authen-
tication; when the server starts it creates a .Xauthority file in
your home directory. Anyone who can read this file will still be
able to connect to your X server -- the root account on your machine,
for instance. Try it on your system: login as root and try xdpyinfo;
it will fail saying
# export DISPLAY=:0
# xdypinfo
Xlib: connection to ":0.0" refused by server
Xlib: Client is not authorized to connect to Server
xdpyinfo: unable to open display ":0".
Now try it again, specifying YOUR Xauthority file:
# export XAUTHORITY=~wes/.Xauthority
# xdpyinfo
name of display: :0.0
version number: 11.0
vendor string: The XFree86 Project, Inc
vendor release number: 3320
maximum request size: 4194300 bytes
...
I use this at work, where I am typically logged onto one or more
large server machines from my workstation. My .profile on the
server machines copies over my current .Xauthority file whenever I
login, allowing me access to the workstation display.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
http://www.softweyr.com/~softweyr wes@softweyr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35FC888F.89EF324C>