Subject: Re: X security query.
To: Steven M. Bellovin <>
From: Aidan Kehoe <>
List: current-users
Date: 05/06/2003 15:15:13
 Ar an 6ú lá de mí 5, scríobh Steven M. Bellovin :

 > >Ah, right. Except that the host-based access control mechanisms don't
 > >mention that the local host may be automatically allowed access--cf the
 > >xhost output in the original mail. Is that worth submitting a bug over,
 > >d'you think?
 > Sure they do;

I meant in the output of xhost; by default, if hosts have been given access
with xhost +hostname, (at least) the XFree86 xhost will print the list; from
xc/programs/xhost/xhost.c; (no, I don't work on a NetBSD box,


    if ((dpy = XOpenDisplay(NULL)) == NULL) {
	fprintf(stderr, "%s:  unable to open display \"%s\"\n",
		ProgramName, XDisplayName (NULL));

    if (argc == 1) {
	setnodeent(1);		/* keep the database accessed */
	sethostent(1);		/* don't close the data base each time */
	list = XListHosts(dpy, &nhosts, &enabled);
	if (enabled)
	    printf ("access control enabled, only authorized clients can connect\n");
	    printf ("access control disabled, clients can connect from any host\n");

	if (nhosts != 0) {
	    for (i = 0; i < nhosts; i++ )  {
		hostname = get_hostname(&list[i]);
		if (hostname) {
		    switch (list[i].family) {
		    case FamilyInternet:
		    case FamilyDECnet:
		    case FamilyNetname:
		    case FamilyKrb5Principal:
		    case FamilyLocalHost:

I've had xhost behave like this (i.e. list the current access control list)
for four or five years now. 

 > Mind you, I'm a security guy, and would much prefer that Xauthority was 
 > the default -- or only -- security mechanism.  For years, my .profile 
 > has generated a nice, new random entry every time I log in on the 
 > console.  Today's version includes some data from /dev/random, too.
 > There's also 'xauth generate', though I haven't played with that yet.

Thankfully, xhost + seems to be dying out as ssh implementations with X
forwarding become ubiquitous. It's easier, too :-) .

 > (Aside: several years ago, someone working on a seriously sensitive 
 > project asked me if he should encrypt his email.  After poking around 
 > for 5 minutes, I ran
 > 	DISPLAY=his-machine:0 xmessage "if you can read this, don't \
 > 		bother with encryption"

And he went; "I can let someone do that without knowing? X sucks." It needs
better defaults, and better documentation, where people can easily find
it. And I should stop whining and go write something useful. :-) 


	- Aidan Kehoe
"I have heard the swelling cry of the English speaking peoples of the
world, and it tells me their cause is served best by flaming the few
complacent asses on usenet." -- T. Samant, 29 June 1997