by mail.netbsd.org with SMTP; 24 Jul 2000 18:25:34 -0000
	by kolvir.arlington.ma.us (8.8.8/JTK19980409) id OAA22405;
	Mon, 24 Jul 2000 14:25:26 -0400 (EDT)
Date: Mon, 24 Jul 2000 14:25:26 -0400 (EDT)
Message-Id: <200007241825.OAA22405@kolvir.arlington.ma.us>
From: John Kohl <jtk@kolvir.arlington.ma.us>
To: perry@wasabisystems.com
CC: tls@rek.tjls.com, tech-x11@netbsd.org, tech-security@netbsd.org
In-reply-to: <87bsznh1fm.fsf@snark.piermont.com> (perry@wasabisystems.com)
Subject: Re: Weekly BSD Security Digest 2000/07/10 to 2000/07/16

>>>>> "Perry" == Perry E Metzger <perry@wasabisystems.com> writes:

Perry> Thor Lancelot Simon <tls@rek.tjls.com> writes:
>> An issue to be aware of that trips up many folks running X carefully is
>> that this doesn't prevent *xdm* from listening to the network, allowing
>> anyone who runs X -query foo.bar.com to talk to the XDM on foo.bar.com and
>> attempt to exploit any vulnerabilities it may have.

Perry> True enough. Perhaps we need to write (and contribute back) a similar
Perry> hack for xdm. In virtually every setup, xdm does not need to talk to
Perry> the network -- the ones where it is useful are rare in our context.

No need for any coding work, I think.  You just need to remove the
chooser stuff from /usr/X11R6/lib/X11/xdm/Xaccess (comment out the
CHOOSER BROADCAST and "any host can get a login window" lines).

Well, maybe making it not listen at all would be even better, but the
above step is IMHO something we should do in every future release.

-- 
==John Kohl <jtk@kolvir.arlington.ma.us>, <john_kohl@alum.mit.edu>
Home page: <http://people.ne.mediaone.net/jtk/>
Bicycling and Skiing to keep fit.