>>>>> "wam" == William McVey <wam@cs.purdue.edu> writes: wam> Benjamin Fried wrote: Ben> Xhost actually has one advantage, of a sort, over xauth: users Ben> of xhost can grant access, and later take that access away. wam> You want to be very careful in assuming that because you type wam> 'xhost -' that your vulnerability goes away. All clients (like wam> xkey) started when the authority was off are still connected wam> and are potentially dangerous. Additionally, clients (like wam> xcrowbar) can be started when no authority is in place that wam> turns off the authority mechanisms altogether, thus making the wam> 'xhost -' a moot point. That's a good point. I really wasn't trying to be an advocate for xhost, though. I was pointing out that the xhost model allows for revocation of access, and xauth (at least when using MIT-MAGIC-COOKIE access control) does not permit revocation of a user's access. As you explain, xhost's ability to revoke access is flawed; however, no such capability exists at all with MIT-MAGIC-COOKIE. >From what I've read, X11R6's MIT-KERBEROS-5 authorization seems much better: it lets the user enable and disable access on a per-user basis, provided you're all running Kerberos 5. Now if only our vendor(s) supported R6! Ben