On Thu, Oct 06, 2005 at 10:06:50AM +1000, Drew Parsons wrote:
> Not useless, only if there's a local user vindictive enough to cause
> this sort of disruption.
I have in mind the usual setup on a univerity, school or workplace. It
is common to have some malicious users between them. I did not found
usernames in the log, so a system administrator has no way to find the
user who 'broke' Xprt.

> I'm not sure how enthusiastic some systems would be to have an Xprt
> instance running for every single user, however.  It's not what it's
> generally intended for. 
Xprt and X can be started at anytime by a user and they can continue
running after the user leaves. This is a problem the system
adminstrators have already. I don't think it is strange to make Xprt
synchronize with X startup, faking the one server setup we will probably
get someday in the future. But I admit that it would be better to run a
single deamon.

I saw in the man page of Xsecurity that there are a lot of different
authetication methods in Xprt. It looks like MIT-MAGIC-COOKIE-1 is
usefull:

"This system is useful in an environment where many users are running
applications on the same machine and want to avoid interference from
each other,  with  the caveat  that  this  control  is only as good as
the access control to the physical network."

It is running in no-listen mode anyway. When a user has a cookie he
cannot be excluded by other users. Giving the cookie can be done
together with setting the environment or something like that. 

Please note that I have no experience with security of X servers, so I
might be way of... :-D

Regards,
Christof


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to