OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Disabling xhost(1) Access Control
From: Cy Schubert - ITSD Open Systems Group (Cy.Schubertuumail.gov.bc.ca)
Date: Wed Aug 30 2000 - 08:45:45 CDT

In message <Pine.GS4.4.21.0008301504230.29108-100000martens.math.ntnu.n
o>, Per
 Kristian Hove writes:
> [Johan Danielsson]
>
> | If you want to do that there are at least two places you have to
> | change the behaviour in programs/Xserver/os/access.c:
> |
> | * for the `xhost +' case change ChangeAccessControl(), to only succeed
> | for the enable case (paranoid people use `xhost -' routinely).
> |
> | * for `xhost +host' change AddHost() to your liking (ifdef out
> | FamilyInternet).
>
> If you're paranoid, you should also change the default behaviour
> of InvalidHost() [also in access.c] to return 1 instead of 0 if
> AccessEnabled isn't set [if you're running with `xhost +', that
> is]. This is where the access check actually takes place.

A less invasive approach would be to specify -nolisten tcp on your
Xserver command line. Users must then set their DISPLAY variable to
:0, as it uses UNIX Domain Sockets.

Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/DEC Team Internet: Cy.Schubertosg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message