>>>>> "Perry" == Perry E Metzger <perry@wasabisystems.com> writes:

Perry> Thor Lancelot Simon <tls@rek.tjls.com> writes:
>> An issue to be aware of that trips up many folks running X carefully is
>> that this doesn't prevent *xdm* from listening to the network, allowing
>> anyone who runs X -query foo.bar.com to talk to the XDM on foo.bar.com and
>> attempt to exploit any vulnerabilities it may have.

Perry> True enough. Perhaps we need to write (and contribute back) a similar
Perry> hack for xdm. In virtually every setup, xdm does not need to talk to
Perry> the network -- the ones where it is useful are rare in our context.

No need for any coding work, I think.  You just need to remove the
chooser stuff from /usr/X11R6/lib/X11/xdm/Xaccess (comment out the
CHOOSER BROADCAST and "any host can get a login window" lines).

Well, maybe making it not listen at all would be even better, but the
above step is IMHO something we should do in every future release.

-- 
==John Kohl <jtk@kolvir.arlington.ma.us>, <john_kohl@alum.mit.edu>
Home page: <http://people.ne.mediaone.net/jtk/>
Bicycling and Skiing to keep fit.