xcrowbar

der Mouse (mouse@Collatz.McRCIM.McGill.EDU)
Wed, 11 Jan 1995 13:54:20 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: William McVey: "xcrowbar"
Previous message: Jon Peatfield: "Re: Xwindows security?"

>> What's xcrowbar, and how does it "turn[] off the authority
>> mechanisms altogether"?  In my experience, only clients running on
>> the local host, or the xdm host if the server was started with xdm,
>> can fiddle with the access control mechanisms.

> As for only the local host or xdm host being able to "fiddle with the
> access control mechanism", I highly doubt that the statement is true.
> X servers (well, at least the distributed ones) don't pay any special
> attention to whether a client is local or remote.

Then someone's broken things rather severely in the last year or two.
Back in the R4 days (which was when I kinda dropped out of touch with
current X), the server _did_ pay attention for purposes of access
control.  The R4 protocol document's description of the
SetAccessControl request is

	SetAccessControl
	
	  mode: {Enable, Disable}
	
	  Errors: Access, Value
	
	This request enables or disables the use of the access control
	list at connection setups.
	
	The client must reside on the same host as the server and/or
	have been granted permission by a server-dependent method to
	execute this request (or an Access error results).

Now, of course, the "server-dependent method" could simply be to grant
access to all clients, so what you describe would not, technically, be
a protocol violation.  But go look through
mit/server/os/4.2bsd/access.c in the R4 distribution and you'll see
that at least back then, it did pay attention; various things call
AuthorizedClient().  If you find a server that doesn't, I would
recommend sending a critical security bug report to its source (vendor,
or the Consortium if you're using Consortium servers).  And then pester
them until they fix it!

>> What I do, to get the convenience of "xhost -" without giving up
>> quite as much security, is I run a front-end program [...]
> I don't suppose the program you run is freely available someplace?

Anonymous ftp to collatz.mcrcim.mcgill.edu, cd /X, do a dir of xconns*
and fetch whatever you think looks interesting.  (Ask for .gz files if
possible, please, to reduce demands on my poor slow netlink....)

It really needs work, though.  It should do at least minimal
monitoring, it should use IDENT, etc....

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu

Next message: William McVey: "xcrowbar"
Previous message: Jon Peatfield: "Re: Xwindows security?"