Subject: Re: X security query.
To: Aidan Kehoe <kehoea@parhasard.net>
From: Steven M. Bellovin <smb@research.att.com>
List: current-users
Date: 05/06/2003 09:17:20
In message <16055.44384.601021.536198@matrix.netsoc.tcd.ie>, Aidan Kehoe =
writes
:
>
> Ar an 6=FA l=E1 de m=ED 5, scr=EDobh Steven M. Bellovin :
>
> > In other words, if your Xauthority file is 0-length, it's not used, a=
nd =

> > the server falls back to host-based access control.
>
>Ah, right. Except that the host-based access control mechanisms don't
>mention that the local host may be automatically allowed access--cf the
>xhost output in the original mail. Is that worth submitting a bug over,
>d'you think?
>

Sure they do; see the next paragraph of Xserver(7):

       The X server also uses a host-based  access  control  list
       for  deciding  whether  or  not to accept connections from
       clients on a particular machine.  If no  other  authoriza
       tion mechanism is being used, this list initially consists
       of the host on which the server is running as well as  any
       machines  listed in the file /etc/Xn.hosts, where n is the
       display number of the  server.

The defaults may be stupid and insecure, but they are documented...

Mind you, I'm a security guy, and would much prefer that Xauthority was =

the default -- or only -- security mechanism.  For years, my .profile =

has generated a nice, new random entry every time I log in on the =

console.  Today's version includes some data from /dev/random, too.
There's also 'xauth generate', though I haven't played with that yet.

(Aside: several years ago, someone working on a seriously sensitive =

project asked me if he should encrypt his email.  After poking around =

for 5 minutes, I ran

	DISPLAY=3Dhis-machine:0 xmessage "if you can read this, don't \
		bother with encryption"


		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)