Christian Hudon wrote:
>
> On Jun 21, Gernot Bauer wrote
> > > Hi,
> > > I recently upgraded my Xfree setup to 3.3 from unstable. But now I
> seem
> > > to have some problems.
> > > Only the user that runs the xserver (startx) can run apps
> on it
> > > any attempt to run an app by another user is refused. eg below;
> > >
> > ># xhost
> > >
> > >Xlib: connection to ":0.0" refused by server
> > >Xlib: Invalid MIT-MAGIC-COOKIE-1 key
> > >xhost: unable to open display ":0.0"
> > >#
> >
> > Isnt this a "feature"? Did you try "xhost +"? My root-user also must
> not
> > open windows on my (user-)screen. "xhost +" disables this.
>
> ... and enables anyone on the Internet to connect to your X server
> and,
> say, stuff the string "rm -rf /" in an open root xterm. Or read
> everything
> you type, inluding passwords.
>
> Doing "xhosts +" in response to an "Invalid MIT-MAGIC-COOKIE-1 key" is
> pretty much the equivalent of making all files writable by anyone
> ("chmod
> -R ugo+w /") and setting all the passwords to "" in response to a
> "permission denied" error when trying to access a file. Anyone that
> can get
> to your machine can now do pretty much anything they want to it. So,
> unless
> your machine is never connected to any kind of network, it's
> definitely a
> *bad* idea. And the "Invalid MIT-MAGIC-COOKIE-1 key" message that
> other
> users get when trying to connect to your X server is definitely a
> *feature*
> (enclosed in stars) as opposed to a "feature" (enclosed in quotes).
>
> If you trust everyone who has a login on your machine, do "xhost
> +local:" instead of "xhost +". This will allow only non-network, local
> connections to your X server.
>
[snip]
Ooops, thanx for these hints. Looks like I should take some more lessons
in "security"-matters...
Gernot
--
--------------------------
Gernot Bauer
University of Linz
[EMAIL PROTECTED]
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] .
Trouble? e-mail to [EMAIL PROTECTED] .
