Le 18/08/2010 13:08, Sebastian Krzyszkowiak a écrit : > > Maybe we should enable it by default? Are there any disadventages? >
Some security issues (some side effects) but I don't think it's relevant for us. Basically on your computer when $DISPLAY is :0.0 your X server is listening to a UNIX socket (/tmp/.X11-unix/X0 indeed, you can check your /tmp) When you do some X11 forwarding there are 2 things : - a network connection between X client (on "faraway" machine) and X server (on "here" machine) - an authentication With the 'old school' system (cf. my previous message) you do : faraway$ DISPLAY=here:0 my_application to establish the (non-encrypted) connection between "faraway" and "here" For the authentication, your X server usually accepts the X client from faraway because you did a : here$ xhost +faraway But that's for the 'old school' system. Now what about ssh -X ? While doing ssh -X to go on your Freerunner, you can see your Freerunner's $DISPLAY is :10.0, which corresponds to a local TCP socket (local on Freerunner) opened by the ssh server. faraway$ lsof -ni TCP:6010 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME sshd 15663 root 9u IPv4 437835 TCP 127.0.0.1:6010(LISTEN) Any connection to 127.0.0.1:6010/TCP will be redirected through ssh from your freerunner to your computer's /tmp/.X11-unix/X0 socket. That's for the (encrypted) connection. For authentication, there is a secret shared between X server and X clients called "magic-cookie" and managed by the xauth application. You can do "xauth list $DISPLAY" on your computer to see it. This secret is stored in ~/.Xauthority (be careful with permission on this file) If you do a ssh -X -vv (verbose) you will see your ssh client calling xauth to get this magic-cookie (something like "debug2: x11_get_proto: /usr/bin/X11/xauth list :0.0 . 2>/dev/null") So why some distributions set X11Forwarding to 'no' ? Because if your Freerunner is *compromised*, someone can control the Xauthority file and therefore he can connect to the 6010/TCP socket. Which is linked to your computer's UNIX socket. ==> he has a kind a "back channel" to access to your computer's X server. Xavier. _______________________________________________ Openmoko community mailing list community@lists.openmoko.org http://lists.openmoko.org/mailman/listinfo/community