Subject: Re: X security query.
To: Aidan Kehoe <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 05/06/2003 07:41:47
In message <firstname.lastname@example.org>, Aidan Kehoe writes:
>[I would consider posting this to the XFree86 lists, but given the deafening
>silence that normally accompanies in-depth, obscure queries there, I'll try
>here first. Failing an answer, directions to a more suitable list with a bit
>of life in it would be welcome too.]
According to the XServer man page (I think I have 4.3.0 running):
Authorization data required by the above protocols is
passed to the server in a private file named with the
-auth command line option. Each time the server is about
to accept the first connection after a reset (or when the
server is starting), it reads this file. If this file
contains any authorization records, the local host is not
automatically allowed access to the server, and only
clients which send one of the authorization records con
tained in the file in the connection setup information
will be allowed access.
In other words, if your Xauthority file is 0-length, it's not used, and
the server falls back to host-based access control.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)