Date: Wed, 30 Aug 2000 06:45:45 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Per Kristian Hove <perhov+/dev/null@math.ntnu.no> Cc: Johan Danielsson <joda@pdc.kth.se>, cjclark@alum.mit.edu, freebsd-security@FreeBSD.ORG Subject: Re: Disabling xhost(1) Access Control Message-ID: <200008301346.e7UDkbA84396@cwsys.cwsent.com> In-Reply-To: Your message of "Wed, 30 Aug 2000 15:14:46 %2B0200." <Pine.GS4.4.21.0008301504230.29108-100000@martens.math.ntnu.no>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.GS4.4.21.0008301504230.29108-100000@martens.math.ntnu.n o>, Per Kristian Hove writes: > [Johan Danielsson] > > | If you want to do that there are at least two places you have to > | change the behaviour in programs/Xserver/os/access.c: > | > | * for the `xhost +' case change ChangeAccessControl(), to only succeed > | for the enable case (paranoid people use `xhost -' routinely). > | > | * for `xhost +host' change AddHost() to your liking (ifdef out > | FamilyInternet). > > If you're paranoid, you should also change the default behaviour > of InvalidHost() [also in access.c] to return 1 instead of 0 if > AccessEnabled isn't set [if you're running with `xhost +', that > is]. This is where the access check actually takes place. A less invasive approach would be to specify -nolisten tcp on your Xserver command line. Users must then set their DISPLAY variable to :0, as it uses UNIX Domain Sockets. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008301346.e7UDkbA84396>