>> Xhost actually has one advantage, of a sort, over xauth: users of >> xhost can grant access, and later take that access away. > You want to be very careful in assuming that because you type > 'xhost -' that your vulnerability goes away. [...existing > connections are undisturbed...] Additionally, clients (like > xcrowbar) can be started when no authority is in place that turns off > the authority mechanisms altogether, thus making the 'xhost -' a moot > point. What's xcrowbar, and how does it "turn[] off the authority mechanisms altogether"? In my experience, only clients running on the local host, or the xdm host if the server was started with xdm, can fiddle with the access control mechanisms. In any case, yes, it's true that "xhost -" doesn't magically mean you're safe again. What I do, to get the convenience of "xhost -" without giving up quite as much security, is I run a front-end program that accepts connections, replaces the authentication in the startup exchange with saved info that the server will accept, and also maintains a window displaying a list of the connections (currently just host addresses, but it could be modified to display user names if the remote host supports IDENT). My program currently doesn't, but could, monitor the X request/reply stream and take arbitrary action (freeze the connection, alert me, pop up an interactive protocol debugger window) if it sees something questionable, like a client selecting for keystrokes on a window it didn't create. der Mouse mouse@collatz.mcrcim.mcgill.edu