Subject: X security query.
To: None <>
From: Aidan Kehoe <>
List: current-users
Date: 05/06/2003 08:49:28

[I would consider posting this to the XFree86 lists, but given the deafening
silence that normally accompanies in-depth, obscure queries there, I'll try
here first. Failing an answer, directions to a more suitable list with a bit
of life in it would be welcome too.]

Okay, I'm on the local machine, logged in using XDM, as aidan. 

  ~ > echo $DISPLAY
  ~ > whoami
  ~ > ssh -x hcksplat@localhost
  hcksplat@localhost's password: 

I ssh to localhost as hcksplat, turning off explicitly X11 forwarding. On
localhost, as hcksplat, I do the following. 

   9:48PM ~ > XAUTHORITY=/home/aidan/.Xauthority ; export XAUTHORITY
   9:48PM ~ > ls -l ~aidan/.Xauthority
   -rw-------  1 aidan  wheel  0 May  5 20:20 /home/aidan/.Xauthority
   9:48PM ~ > xman -display :0 &
  [1] 1029

The xman displays. Wtf? Is this to say, anyone with local access who can
guess the name of my Xauthority file can pop up a window on my $DISPLAY?
Surely I must have some of my security settings wrong. Let's check; 

   9:48PM ~ > ~^Z [suspend ssh]

  zsh: suspended  ssh -x hcksplat@localhost
  ~ > xlsclients
  smiley  xconsole -daemon -notify -verbose -fn fixed -exitOnFail
  smiley  xman -display :0
  smiley  /X11/bin/xterm -geometry 80x24-0+0
  smiley  /usr/pkg/bin/xemacs -geometry +0+0
  ~ > xauth list
  ~ > 

The output of xauth list is empty; that means, according to the man page,
that no access has been explicitly granted using the Xauth mechanisms. Let's
try the other facility; 

  ~ > xhost
  access control enabled, only authorized clients can connect
  ~ > 

And the list of permitted hosts is empty. Okay, so what do I have to do to
turn off the ability of any local user to pop up a window on my display?


	- Aidan Kehoe
"I have heard the swelling cry of the English speaking peoples of the
world, and it tells me their cause is served best by flaming the few
complacent asses on usenet." -- T. Samant, 29 June 1997