Re: X-windows security in Gnome
- From: <Jim Gettys hp com>
- To: Brian Cameron <Brian Cameron Sun COM>
- Cc: gnome-hackers gnome org, jwz jwz org
- Subject: Re: X-windows security in Gnome
- Date: Thu, 16 May 2002 12:28:18 -0700 (PDT)
Brian,
Yes, if you do "xhost +", you are completely disabling any access control
to your X server, and I've got you. You are entirely correct. X was
designed in the bad old days when the US Government made it impossible
to deal with crypto; ironically, I shared an office with Steve Miller,
one of the original authors of kerberos. We did put enough hooks
in to allow for later addition of other than host based authentication.
One response is "don't do that"; but that is a bit of a cop-out, IMHO.
One thing that should be done would be to at least put a warning into
the xhost program to inform the great unwashed masses that they probably
don't want to do that.... Certainly Gnome's control panel should strongly
warn against such usage, and the command line xhost program should warn
strongly against doing this these days. Sending a trival patch to xhost
XFree86's way to make such a warning is probably appropriate.There are
times that you really do need to remove all access control for various
reasons, so removing the capability entirely is not viable.
There is also Kerb5 support in the source pool for X; I don't think people
always build it.
As far as the security stuff you reference, that was designed for
compartmented mode workstations (you may remember that U.S. government
fantasy that many of the UNIX vendors chased for a while: e.g. the "RedBook").
I'm skeptical of its value.
But stronger authentication of connections is a "good thing"; so I'd
recommend going the Kerberos 5 route; and it may be that the stuff
you reference helps there (I haven't looked at it carefully; it happened
during an era I didn't pay much attention to X). MIT-MAGIC-COOKIE is
pretty lame, only a step or two up from no authentication at all.
- Jim
--
Jim Gettys
Cambridge Research Laboratory
HP Labs, Hewlett-Packard Company
Jim Gettys hp com
_______________________________________________
gnome-hackers mailing list
gnome-hackers gnome org
http://mail.gnome.org/mailman/listinfo/gnome-hackers
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
