[vox-tech] vim question

Mark K. Kim vox-tech@lists.lugod.org
Wed, 13 Nov 2002 05:29:35 -0800 (PST) 

So what happens if you type:

   xhost +username

and someone creates a machine named "username"?  Can anyone from that
machine access your X?

Let's assume that's not a problem because X first checks /etc/passwd,
and if there's a user named "username", it gives that user the permission
but not to any machine.  What if you want to give all the users on
"hostname" access to your X, like this:

   xhost +hostname

then the root on the system decides to create a user named "hostname"?
Then now you can't connect from "hostname" and you've inadvertantly
given the user "hostname" a complete control over your X.

How does xhost work to get around these problems?

-Mark


On Tue, 12 Nov 2002, Rick Moen wrote:

> Quoting Michael Wenk (mikewenk@attbi.com):
>
> > Hmm, I was just about to say... :-)
> >
> > Yes the others will work, xhost tho, IMO is the fastest and requires the
> > least effort.  And I agree that xhost + is not a good way to go, in fact,
> > you may want to go a bit further and do an xhost +root@localhost
> >
> > I forget if xhost assumes wildcards, but why take chances, if you're
> > explicit, then you lessen the risk.
>
> For what it's worth, the xhost manpage says that the name following the
> "+" may be either a hostname or a username.
>
> Prior to reading your post attentively _and_ reading the manpage, I had
> been mislead by a recent thread on debian-security where one of the
> regulars swore up and down that (quoting) "xhost is _host_ based access
> control, so of course xhost +username doesn't work!"
>
> You can see posts from that thread at
> http://linuxmafia.com/~rick/linux-info/root-with-x11 , where your post
> is now immortalised at the end.
>
> And here, all these years, I've been eschewing xhost as a hopeless
> security risk.  Well, I learned something today.
>
> --
> Cheers,                                      Right to keep and bear
> Rick Moen                                  Haiku shall not be abridged
> rick@linuxmafia.com                           Or denied.  So there.
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>

-- 
Mark K. Kim
http://www.cbreak.org/
PGP key available upon request.