Subject: Re: Weekly BSD Security Digest 2000/07/10 to 2000/07/16
To: None <email@example.com>
From: John Kohl <firstname.lastname@example.org>
Date: 07/24/2000 14:25:26
>>>>> "Perry" == Perry E Metzger <email@example.com> writes:
Perry> Thor Lancelot Simon <firstname.lastname@example.org> writes:
>> An issue to be aware of that trips up many folks running X carefully is
>> that this doesn't prevent *xdm* from listening to the network, allowing
>> anyone who runs X -query foo.bar.com to talk to the XDM on foo.bar.com and
>> attempt to exploit any vulnerabilities it may have.
Perry> True enough. Perhaps we need to write (and contribute back) a similar
Perry> hack for xdm. In virtually every setup, xdm does not need to talk to
Perry> the network -- the ones where it is useful are rare in our context.
No need for any coding work, I think. You just need to remove the
chooser stuff from /usr/X11R6/lib/X11/xdm/Xaccess (comment out the
CHOOSER BROADCAST and "any host can get a login window" lines).
Well, maybe making it not listen at all would be even better, but the
above step is IMHO something we should do in every future release.
==John Kohl <email@example.com>, <firstname.lastname@example.org>
Home page: <http://people.ne.mediaone.net/jtk/>
Bicycling and Skiing to keep fit.