* Dave Sherohman ([EMAIL PROTECTED]) [020520 10:49]: > On Mon, May 20, 2002 at 06:39:22PM +0200, Kristian Rink wrote: > > Something like 'xhost +' basically should > > allow anyone (on your system) to connect to X hence to display any > > graphical output. > > Bzzt! 'xhost +' allows anyone (on any system capable of contacting > your system) to connect to X and display any graphical output. Not > good... > > If you MUST use xhost, use 'xhost + localhost'. But using xauth or > XAUTHORITY is the Right Way To Do It.
Thanks Dave! You just pointed out one of the many, many, MANY reasons to NEVER USE xhost. The reason you just illustrated: "When you might want to do 'xhost +localhost', you might accidentally enter 'xhost + localhost', which has the same as effect as 'xhost +'. Even if you DID get it "right", 'xhost +localhost' allows anyone on localhost to connect to your X server. Probably not what you want, especially on a system with many users, or any system with any users you don't fully trust (probably every system). It's worth noting that the danger isn't just that anyone can display apps on your display. In addition to being able to open windows on your display, anyone else would be able to destroy any (or all) of your windows, view the contents of your screen remotely, log your keystrokes, or generate /any/ X event. This horse has been beaten to death. Search google and you'll probably come up with a kmself rant (TM) about why xhost is bad, along with info from plenty of other enlightened individuals. Thankfully, debian's X config has by default an option (and I won't tell you which if you don't know, because you shouldn't remove it) that disables the X server from listening for and accepting incoming tcp connections, so 'xhost +' won't hurt you as much as it should. Use su and read the originating user's ~/.Xauthority, or use ssh's X forwarding. > -- > When we reduce our own liberties to stop terrorism, the terrorists > have already won. - reverius Word. (and "too late.") good times, Vineet -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume.shtml
msg08253/pgp00000.pgp
Description: PGP signature