Subject: Re: X security query.
To: Aidan Kehoe <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 05/06/2003 09:17:20
In message <firstname.lastname@example.org>, Aidan Kehoe =
> Ar an 6=FA l=E1 de m=ED 5, scr=EDobh Steven M. Bellovin :
> > In other words, if your Xauthority file is 0-length, it's not used, a=
> > the server falls back to host-based access control.
>Ah, right. Except that the host-based access control mechanisms don't
>mention that the local host may be automatically allowed access--cf the
>xhost output in the original mail. Is that worth submitting a bug over,
Sure they do; see the next paragraph of Xserver(7):
The X server also uses a host-based access control list
for deciding whether or not to accept connections from
clients on a particular machine. If no other authoriza
tion mechanism is being used, this list initially consists
of the host on which the server is running as well as any
machines listed in the file /etc/Xn.hosts, where n is the
display number of the server.
The defaults may be stupid and insecure, but they are documented...
Mind you, I'm a security guy, and would much prefer that Xauthority was =
the default -- or only -- security mechanism. For years, my .profile =
has generated a nice, new random entry every time I log in on the =
console. Today's version includes some data from /dev/random, too.
There's also 'xauth generate', though I haven't played with that yet.
(Aside: several years ago, someone working on a seriously sensitive =
project asked me if he should encrypt his email. After poking around =
for 5 minutes, I ran
DISPLAY=3Dhis-machine:0 xmessage "if you can read this, don't \
bother with encryption"
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)