Hi, 

[I would consider posting this to the XFree86 lists, but given the deafening
silence that normally accompanies in-depth, obscure queries there, I'll try
here first. Failing an answer, directions to a more suitable list with a bit
of life in it would be welcome too.]

Okay, I'm on the local machine, logged in using XDM, as aidan. 

  ~ > echo $DISPLAY
  :0.0
  ~ > whoami
  aidan
  ~ > ssh -x hcksplat@localhost
  hcksplat@localhost's password: 

I ssh to localhost as hcksplat, turning off explicitly X11 forwarding. On
localhost, as hcksplat, I do the following. 

   9:48PM ~ > XAUTHORITY=/home/aidan/.Xauthority ; export XAUTHORITY
   9:48PM ~ > ls -l ~aidan/.Xauthority
   -rw-------  1 aidan  wheel  0 May  5 20:20 /home/aidan/.Xauthority
   9:48PM ~ > xman -display :0 &
  [1] 1029

The xman displays. Wtf? Is this to say, anyone with local access who can
guess the name of my Xauthority file can pop up a window on my $DISPLAY?
Surely I must have some of my security settings wrong. Let's check; 

   9:48PM ~ > ~^Z [suspend ssh]

  zsh: suspended  ssh -x hcksplat@localhost
  ~ > xlsclients
  smiley  xconsole -daemon -notify -verbose -fn fixed -exitOnFail
  smiley  xman -display :0
  smiley  /X11/bin/xterm -geometry 80x24-0+0
  smiley  /usr/pkg/bin/xemacs -geometry +0+0
  ~ > xauth list
  ~ > 

The output of xauth list is empty; that means, according to the man page,
that no access has been explicitly granted using the Xauth mechanisms. Let's
try the other facility; 

  ~ > xhost
  access control enabled, only authorized clients can connect
  ~ > 

And the list of permitted hosts is empty. Okay, so what do I have to do to
turn off the ability of any local user to pop up a window on my display?

Cordially,   

	- Aidan Kehoe
-- 
"I have heard the swelling cry of the English speaking peoples of the
world, and it tells me their cause is served best by flaming the few
complacent asses on usenet." -- T. Samant, 29 June 1997