by mail.netbsd.org with SMTP; 26 Jul 2000 05:21:13 -0000
	by wombat.cs.rmit.edu.au (8.9.3/8.9.3/cshub) with ESMTP id PAA15096;
	Wed, 26 Jul 2000 15:20:49 +1000 (EST)
Message-Id: <200007260520.PAA15096@wombat.cs.rmit.edu.au>
From: Luke Mewburn <lukem@cs.rmit.edu.au>
Reply-to: lukem@cs.rmit.edu.au
To: "Perry E. Metzger" <perry@wasabisystems.com>
Cc: tech-x11@netbsd.org, tech-security@netbsd.org
Subject: Re: Weekly BSD Security Digest 2000/07/10 to 2000/07/16 
In-Reply-To: Your message of "24 Jul 2000 13:40:13 -0400 "
	<87bsznh1fm.fsf@snark.piermont.com> 
Date: Wed, 26 Jul 2000 15:20:48 +1000

"Perry E. Metzger" writes:
> 
> Thor Lancelot Simon <tls@rek.tjls.com> writes:
> > An issue to be aware of that trips up many folks running X carefully is
> > that this doesn't prevent *xdm* from listening to the network, allowing
> > anyone who runs X -query foo.bar.com to talk to the XDM on foo.bar.com and
> > attempt to exploit any vulnerabilities it may have.
> 
> True enough. Perhaps we need to write (and contribute back) a similar
> hack for xdm. In virtually every setup, xdm does not need to talk to
> the network -- the ones where it is useful are rare in our context.

Except where NetBSD boxes are used as central login servers and you have
X-terminals xdm-ing off them...

But as people mentioned earlier, just disable the remote login support
in the xdm Xaccess config file if you don't need X-terminal support...