home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: alt.security
- From: bsy+@CS.CMU.EDU (Bennet Yee)
- Subject: Re: X Lack of Security
- Message-ID: <1992Mar26.005744.108041@cs.cmu.edu>
- Date: Thu, 26 Mar 92 00:57:44 GMT
- Organization: Cranberry Melon, School of Cucumber Science
- References: <CONS.92Mar24173517@mercury.cern.ch> <1992Mar24.181039.28991@news.iastate.edu> <1992Mar25.193359.224841@cs.cmu.edu> <1992Mar25.225034.16298@fwi.uva.nl>
-
- Apparently I wasn't being sufficiently clear.
-
- In article <1992Mar25.225034.16298@fwi.uva.nl>, casper@fwi.uva.nl (Casper H.S. Dik) writes:
- >bsy+@CS.CMU.EDU (Bennet Yee) writes:
- >
- >>For most users, simply using the Unix domain socket that's in
- >>/tmp/.X11-unix (by doing a ``setenv DISPLAY unix:0.0'') will permit
- >>access. File access control bits for Unix domain sockets are not
- >>checked properly. It is easy enough to work around, albeit inelegant:
- >>simply move the socket to a directory in a path that you have control
- >>over (creating your own directory under a sticky /tmp/.X11-unix is
- >>sufficient), make the old name a symlink to the new socket name, and
- >>then fix the directory access permissions.
- >
- >The access to the socket is no important. All users have access
- >to /tmp/.X11-unix/X0, but also to 6000/tcp. MIT-MGIC-COOKIE will be
- >enforced on all connection, regardless of their origin.
-
- The point here is that xhost access control applies only to the TCP
- based connections, not the Unix domain ones. You can un-xhost all
- hosts (including the localhost), but you have to do something special
- to really turn off access via the Unix domain socket when you're not
- using the magic cookie protocol. Casper's comment, while true, is
- orthogonal to this.
-
- -bsy
-
- --
- Bennet S. Yee Phone: +1 412 268-7571 Email: bsy+@cs.cmu.edu
- School of Computer Science, Carnegie Mellon, Pittsburgh, PA 15213-3890
-
-
