Date: Wed, 16 Sep 1998 00:05:34 -0600 From: Warner Losh <imp@village.org> To: rotel@indigo.ie Cc: freebsd-security@FreeBSD.ORG Subject: Re: X Security (was: Re: Err.. cat exploit.. (!)) Message-ID: <199809160605.AAA04664@harmony.village.org> In-Reply-To: Your message of "Tue, 15 Sep 1998 22:25:03 -0000." <199809152125.WAA01218@indigo.ie> References: <199809152125.WAA01218@indigo.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199809152125.WAA01218@indigo.ie> Niall Smart writes: : Actually, xterm will not accept synthetically generated keystrokes : from XSendEvent by default, but there is nothing stopping someone : from capturing keystrokes and other events. This is a pretty : pedantic point, anyone using xhost to manage X security deserves : to get stung. But it will accept keystrokes generated from XTEST by default. I have a newton keyboard I use with my libretto which uses this feature. It would appear that the keystroke program even works with a remote display I can connect to, which is both way cool, and a possible nightmare from a security point of view. XTEST even supports mouse movements and clicking, which I plan to add to the newton keyboard just as soon as I find a way of faking mice that I like. There are serveral X extensions that can be used here that are compiled into XFree86 by default. I think they are XInputExtension, XKEYBOARD and XTEST, but I'm not sure about XKEYBOARD. There is even a RECORD extension listed on my xdpyinfo output that looks like it could be very interesting indeed. X security is less like swiss cheeze, and more like chicken wire if you are just using xhost for your security. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809160605.AAA04664>