Subject: Re: X security query.
To: Steven M. Bellovin <smb@research.att.com>
From: Aidan Kehoe <kehoea@parhasard.net>
List: current-users
Date: 05/06/2003 15:15:13 
 Ar an 6ú lá de mí 5, scríobh Steven M. Bellovin :

 > >Ah, right. Except that the host-based access control mechanisms don't
 > >mention that the local host may be automatically allowed access--cf the
 > >xhost output in the original mail. Is that worth submitting a bug over,
 > >d'you think?
 > 
 > Sure they do;

I meant in the output of xhost; by default, if hosts have been given access
with xhost +hostname, (at least) the XFree86 xhost will print the list; from
xc/programs/xhost/xhost.c; (no, I don't work on a NetBSD box,
unfortunately);

    [...]			   

    if ((dpy = XOpenDisplay(NULL)) == NULL) {
	fprintf(stderr, "%s:  unable to open display \"%s\"\n",
		ProgramName, XDisplayName (NULL));
	exit(1);
    }

    XSetErrorHandler(local_xerror);
 
 
    if (argc == 1) {
#ifdef DNETCONN
	setnodeent(1);		/* keep the database accessed */
#endif
	sethostent(1);		/* don't close the data base each time */
	list = XListHosts(dpy, &nhosts, &enabled);
	if (enabled)
	    printf ("access control enabled, only authorized clients can connect\n");
	else
	    printf ("access control disabled, clients can connect from any host\n");

	if (nhosts != 0) {
	    for (i = 0; i < nhosts; i++ )  {
		hostname = get_hostname(&list[i]);
		if (hostname) {
		    switch (list[i].family) {
		    case FamilyInternet:
			printf("INET:");
			break;
		    case FamilyDECnet:
			printf("DNET:");
			break;
		    case FamilyNetname:
			printf("NIS:");
			break;
		    case FamilyKrb5Principal:
			printf("KRB:");
			break;
		    case FamilyLocalHost:
			printf("LOCAL:");
			[...]

I've had xhost behave like this (i.e. list the current access control list)
for four or five years now. 

 > Mind you, I'm a security guy, and would much prefer that Xauthority was 
 > the default -- or only -- security mechanism.  For years, my .profile 
 > has generated a nice, new random entry every time I log in on the 
 > console.  Today's version includes some data from /dev/random, too.
 > There's also 'xauth generate', though I haven't played with that yet.

Thankfully, xhost + seems to be dying out as ssh implementations with X
forwarding become ubiquitous. It's easier, too :-) .

 > (Aside: several years ago, someone working on a seriously sensitive 
 > project asked me if he should encrypt his email.  After poking around 
 > for 5 minutes, I ran
 > 
 > 	DISPLAY=his-machine:0 xmessage "if you can read this, don't \
 > 		bother with encryption"

And he went; "I can let someone do that without knowing? X sucks." It needs
better defaults, and better documentation, where people can easily find
it. And I should stop whining and go write something useful. :-) 

Bye, 

	- Aidan Kehoe
-- 
"I have heard the swelling cry of the English speaking peoples of the
world, and it tells me their cause is served best by flaming the few
complacent asses on usenet." -- T. Samant, 29 June 1997