On Mon, 11 May 2020 14:38:48 +0000 ornx <o...@protonmail.com> wrote: > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Monday, May 11, 2020 8:18 AM, Attila Kinali <att...@kinali.ch> > wrote: > > > On Mon, 11 May 2020 01:41:11 +0000 > > ornx o...@protonmail.com wrote: > > > > > why? > > > > Probably because it has never come up? X was intended to be used > > on desktops, which, usually, had only a single network interface. > > In case restrictions were needed, xauth/xhost provided the means > > to limit access. These days TCP is even disabled on most distros > > by default, for security reasons. > > > > Attila Kinali > > >X was intended to be used on desktops > is this really true? my understanding is that X has always had a > networked client/server model > > my use case is that i need X to use TCP so that i can intercept its > traffic with wireshark for debugging purposes, but i only need this > server accessible on the loopback interface and specifically do not > want it listening on any other interfaces for basic security reasons > of not giving programs any network resources that they do not > strictly need. using xauth/xhost seems insufficient for this purpose, > because i already know that i do not want any external traffic to be > able to access the server, why do i need to decide this at the > application level instead of specifying it at the network level? what > if there is a bug in the X authentication mechanism? the workaround > for this is also rather inconvenient and requires specialized > knowledge, to prevent external network traffic from reaching X now > involves writing firewall rules instead of merely setting a flag > limiting the interfaces that X is listening on. it is also at odds > with normal networking application behavior, i have actually never > encountered a program before that listened on a port but did not > allow to specify the listening interface > > is the reason why this behavior has not been implemented in Xorg > simply because nobody has thought to add it, or is there a specific > reason that it was left out? if someone provided a patch implementing > this behavior, would it have a chance of being merged?
I think you can do what you want using socat as described at https://superuser.com/questions/484671/can-i-monitor-a-local-unix-domain-socket-like-tcpdump The socket might be /tmp/.X11-unix/X0 for example. _______________________________________________ xorg@lists.x.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: https://lists.x.org/mailman/listinfo/xorg Your subscription address: %(user_address)s
