>> What's xcrowbar, and how does it "turn[] off the authority >> mechanisms altogether"? In my experience, only clients running on >> the local host, or the xdm host if the server was started with xdm, >> can fiddle with the access control mechanisms. > As for only the local host or xdm host being able to "fiddle with the > access control mechanism", I highly doubt that the statement is true. > X servers (well, at least the distributed ones) don't pay any special > attention to whether a client is local or remote. Then someone's broken things rather severely in the last year or two. Back in the R4 days (which was when I kinda dropped out of touch with current X), the server _did_ pay attention for purposes of access control. The R4 protocol document's description of the SetAccessControl request is SetAccessControl mode: {Enable, Disable} Errors: Access, Value This request enables or disables the use of the access control list at connection setups. The client must reside on the same host as the server and/or have been granted permission by a server-dependent method to execute this request (or an Access error results). Now, of course, the "server-dependent method" could simply be to grant access to all clients, so what you describe would not, technically, be a protocol violation. But go look through mit/server/os/4.2bsd/access.c in the R4 distribution and you'll see that at least back then, it did pay attention; various things call AuthorizedClient(). If you find a server that doesn't, I would recommend sending a critical security bug report to its source (vendor, or the Consortium if you're using Consortium servers). And then pester them until they fix it! >> What I do, to get the convenience of "xhost -" without giving up >> quite as much security, is I run a front-end program [...] > I don't suppose the program you run is freely available someplace? Anonymous ftp to collatz.mcrcim.mcgill.edu, cd /X, do a dir of xconns* and fetch whatever you think looks interesting. (Ask for .gz files if possible, please, to reduce demands on my poor slow netlink....) It really needs work, though. It should do at least minimal monitoring, it should use IDENT, etc.... der Mouse mouse@collatz.mcrcim.mcgill.edu