on Mon, May 20, 2002, Vineet Kumar ([EMAIL PROTECTED]) wrote: > * Dave Sherohman ([EMAIL PROTECTED]) [020520 10:49]: > > On Mon, May 20, 2002 at 06:39:22PM +0200, Kristian Rink wrote: > > > Something like 'xhost +' basically should > > > allow anyone (on your system) to connect to X hence to display any > > > graphical output. > > > > Bzzt! 'xhost +' allows anyone (on any system capable of contacting > > your system) to connect to X and display any graphical output. Not > > good... > > > > If you MUST use xhost, use 'xhost + localhost'. But using xauth or > > XAUTHORITY is the Right Way To Do It. > > Thanks Dave! You just pointed out one of the many, many, MANY reasons to > NEVER USE xhost. The reason you just illustrated: "When you might want > to do 'xhost +localhost', you might accidentally enter > 'xhost + localhost', which has the same as effect as 'xhost +'. > > Even if you DID get it "right", 'xhost +localhost' allows anyone on > localhost to connect to your X server. Probably not what you want, > especially on a system with many users, or any system with any users you > don't fully trust (probably every system). > > It's worth noting that the danger isn't just that anyone can display > apps on your display. In addition to being able to open windows on your > display, anyone else would be able to destroy any (or all) of > your windows, view the contents of your screen remotely, log your > keystrokes, or generate /any/ X event. > > This horse has been beaten to death. Search google and you'll probably > come up with a kmself rant (TM) about why xhost is bad, along with info > from plenty of other enlightened individuals.
http://www.google.com/search?hl=en&q=karsten+self+xauth+merge
...and hit "I'm feeling lucky".
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Hollings: bought, paid for, but couldn't deliver the CBDTPA:
http://www.politechbot.com/docs/cbdtpa/hollings.s2048.032102.html
pgpEbjepr5F5R.pgp
Description: PGP signature
