Subject: X security query.
To: None <email@example.com>
From: Aidan Kehoe <firstname.lastname@example.org>
Date: 05/06/2003 08:49:28
[I would consider posting this to the XFree86 lists, but given the deafening
silence that normally accompanies in-depth, obscure queries there, I'll try
here first. Failing an answer, directions to a more suitable list with a bit
of life in it would be welcome too.]
Okay, I'm on the local machine, logged in using XDM, as aidan.
~ > echo $DISPLAY
~ > whoami
~ > ssh -x hcksplat@localhost
I ssh to localhost as hcksplat, turning off explicitly X11 forwarding. On
localhost, as hcksplat, I do the following.
9:48PM ~ > XAUTHORITY=/home/aidan/.Xauthority ; export XAUTHORITY
9:48PM ~ > ls -l ~aidan/.Xauthority
-rw------- 1 aidan wheel 0 May 5 20:20 /home/aidan/.Xauthority
9:48PM ~ > xman -display :0 &
The xman displays. Wtf? Is this to say, anyone with local access who can
guess the name of my Xauthority file can pop up a window on my $DISPLAY?
Surely I must have some of my security settings wrong. Let's check;
9:48PM ~ > ~^Z [suspend ssh]
zsh: suspended ssh -x hcksplat@localhost
~ > xlsclients
smiley xconsole -daemon -notify -verbose -fn fixed -exitOnFail
smiley xman -display :0
smiley /X11/bin/xterm -geometry 80x24-0+0
smiley /usr/pkg/bin/xemacs -geometry +0+0
~ > xauth list
The output of xauth list is empty; that means, according to the man page,
that no access has been explicitly granted using the Xauth mechanisms. Let's
try the other facility;
~ > xhost
access control enabled, only authorized clients can connect
And the list of permitted hosts is empty. Okay, so what do I have to do to
turn off the ability of any local user to pop up a window on my display?
- Aidan Kehoe
"I have heard the swelling cry of the English speaking peoples of the
world, and it tells me their cause is served best by flaming the few
complacent asses on usenet." -- T. Samant, 29 June 1997