From owner-freebsd-security  Sun Sep 13 20:08:25 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA14016
          for freebsd-security-outgoing; Sun, 13 Sep 1998 20:08:25 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from obie.softweyr.com ([204.68.178.33])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA14008
          for <security@FreeBSD.ORG>; Sun, 13 Sep 1998 20:08:22 -0700 (PDT)
          (envelope-from wes@softweyr.com)
Received: from softweyr.com (wes@zaphod.softweyr.com [204.68.178.35])
	by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id VAA14791;
	Sun, 13 Sep 1998 21:07:59 -0600 (MDT)
	(envelope-from wes@softweyr.com)
Message-ID: <35FC888F.89EF324C@softweyr.com>
Date: Sun, 13 Sep 1998 21:07:59 -0600
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr llc
X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386)
MIME-Version: 1.0
To: Igor Roshchin <igor@physics.uiuc.edu>
CC: security@FreeBSD.ORG
Subject: Re: X-security
References: <199809132119.QAA15620@alecto.physics.uiuc.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Igor Roshchin wrote:
> 
> AFAIK, XFree86 does allow to disable access to your DISPLAY
> even from the localhost by other users
> (E.g. on SGIs one can always run any program with DISPLAY set local to
> localhost:0, and you can not disable that).

You're right.  By default, XFree86 uses "MIT MAGIC COOKIE" authen-
tication; when the server starts it creates a .Xauthority file in 
your home directory.  Anyone who can read this file will still be 
able to connect to your X server -- the root account on your machine, 
for instance.  Try it on your system: login as root and try xdpyinfo;
it will fail saying

	# export DISPLAY=:0
	# xdypinfo
	Xlib: connection to ":0.0" refused by server
	Xlib: Client is not authorized to connect to Server
	xdpyinfo:  unable to open display ":0".

Now try it again, specifying YOUR Xauthority file:

	# export XAUTHORITY=~wes/.Xauthority
	# xdpyinfo
	name of display:    :0.0
	version number:    11.0
	vendor string:    The XFree86 Project, Inc
	vendor release number:    3320
	maximum request size:  4194300 bytes
	...

I use this at work, where I am typically logged onto one or more
large server machines from my workstation.  My .profile on the
server machines copies over my current .Xauthority file whenever I
login, allowing me access to the workstation display.
	
-- 
       "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                 Softweyr LLC
http://www.softweyr.com/~softweyr                      wes@softweyr.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message