Re: security hole in X????
> "CC" == Carlos Carvalho <[EMAIL PROTECTED]> writes: CC> The problem is that, with telnet, windows started on the remote CC> machine open without problems in the local display, even without CC> giving a xhost on the local machine. Is this correct? It only CC> happens if you are the same user on both machines. You don't have the same home directory on both machines? In that case, the .Xauthority file is shared and the clients on the remote machine know the magic cookie for the display. (all this assuming that you use either xdm or another way to start your X-server with the -auth option). Otherwise, could there be something in your sequence of startup files which changes the access list of the server? Cheers, Lukas --- Dr. Lukas Nellen | Email: [EMAIL PROTECTED] Depto. de Fisica Teorica, IFUNAM | Apdo. Postal 20-364 | Tel.: +52 5 622 5014 ext. 218 01000 Mexico D.F., MEXICO| Fax: +52 5 622 5015
Re: security hole in X????
If you share a home directory on both machines, and you're using xdm, then the access is based on the .Xauthority file in your homedir. "xauth list" should show the same thing on both systems, if this is the case. (Generally this isn't much better -- it means you're still vulnerable to the "magic cookie" being sniffed as it goes over the net, but other users on the remote host can't connect as they could if you'd used xhost...) As for rlogin: no bug, it's just that rlogin has no mechanism to pass environment variables (and there's no way to extend the protocol portably, rlogin is doomed, use telnet :-)
Re: security hole in X????
On Tue, 4 Jun 1996, Carlos Carvalho wrote: > The problem is that, with telnet, windows started on the remote > machine open without problems in the local display, even without > giving a xhost on the local machine. Is this correct? It only > happens if you are the same user on both machines. How are you starting the X session? Are you using xdm, or something like startx? Are you sure that you aren't doing an 'xhost +' anywhere in your startup scripts? Steve Early [EMAIL PROTECTED]
