Date: Tue, 6 Jul 1999 13:50:35 -0400 (EDT) From: David Gilbert <dgilbert@velocet.ca> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>, security@FreeBSD.ORG Subject: Re: X security (was Re: X and SSH) Message-ID: <14210.16875.956392.173972@trooper.velocet.ca> In-Reply-To: <Pine.BSF.3.96.990706070421.296E-100000@fledge.watson.org> References: <Pine.SO4.4.05.9906261604430.24379-100000@nenya> <Pine.BSF.3.96.990706070421.296E-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Robert" == Robert Watson <robert@cyrus.watson.org> writes: Robert> On Sat, 26 Jun 1999, Vladimir Mencl, MK, susSED wrote: >> On Sat, 26 Jun 1999, Robert Watson wrote: >> >> ... >> >> > > I personally like to run incoming tunneled X sessions from >> under-trusted > hosts in Xnest, but maybe that's just me... :-) >> >> Does it give more security? Robert> I have not inspected Xnest source, so it might be worth doing Robert> sometime. My suspicion is it actually renders the virtual Robert> display as a bitmap. Probably a better alternative would be Robert> to write an X proxy that speaks the X protocol and prevents Robert> unfortunate things from happening (grabs, xinput capture, Robert> etc?), perhaps one that spoke to a window manager with Robert> security extensions to allow you to take advantage of Robert> knowledge of window behavior. You might be better off starting with the dxpc source, then, as that code is already optimized to do just that. The X proxy in ssh also does some xauth translation (where the X proxy in dxpc just transfers it as given) Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14210.16875.956392.173972>