l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
August 5: Social gathering
Next Installfest:
TBD
Latest News:
Jul. 4: July, August and September: Security, Photography and Programming for Kids
Page last updated:
2002 Nov 13 19:57

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] vim question
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] vim question



So what happens if you type:

   xhost +username

and someone creates a machine named "username"?  Can anyone from that
machine access your X?

Let's assume that's not a problem because X first checks /etc/passwd,
and if there's a user named "username", it gives that user the permission
but not to any machine.  What if you want to give all the users on
"hostname" access to your X, like this:

   xhost +hostname

then the root on the system decides to create a user named "hostname"?
Then now you can't connect from "hostname" and you've inadvertantly
given the user "hostname" a complete control over your X.

How does xhost work to get around these problems?

-Mark


On Tue, 12 Nov 2002, Rick Moen wrote:

> Quoting Michael Wenk (mikewenk@attbi.com):
>
> > Hmm, I was just about to say... :-)
> >
> > Yes the others will work, xhost tho, IMO is the fastest and requires the
> > least effort.  And I agree that xhost + is not a good way to go, in fact,
> > you may want to go a bit further and do an xhost +root@localhost
> >
> > I forget if xhost assumes wildcards, but why take chances, if you're
> > explicit, then you lessen the risk.
>
> For what it's worth, the xhost manpage says that the name following the
> "+" may be either a hostname or a username.
>
> Prior to reading your post attentively _and_ reading the manpage, I had
> been mislead by a recent thread on debian-security where one of the
> regulars swore up and down that (quoting) "xhost is _host_ based access
> control, so of course xhost +username doesn't work!"
>
> You can see posts from that thread at
> http://linuxmafia.com/~rick/linux-info/root-with-x11 , where your post
> is now immortalised at the end.
>
> And here, all these years, I've been eschewing xhost as a hopeless
> security risk.  Well, I learned something today.
>
> --
> Cheers,                                      Right to keep and bear
> Rick Moen                                  Haiku shall not be abridged
> rick@linuxmafia.com                           Or denied.  So there.
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>

-- 
Mark K. Kim
http://www.cbreak.org/
PGP key available upon request.


_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.