Re: X-windows security in Gnome
- From: Jamie Zawinski <jwz jwz org>
- To: Brian Cameron <Brian Cameron sun com>
- Cc: otaylor redhat com, gnome-hackers gnome org
- Subject: Re: X-windows security in Gnome
- Date: Fri, 17 May 2002 03:40:18 -0700
Brian Cameron wrote:
>
> > If there are any iconified terminals around, arbitrary commands can be
> > executed by sending synthetic keypress events to them.
>
> This is simply not true. I was hoping not to have to type in the
> specifics of the "Security Extension Specifcation", but since there
> seems to be so much confusion, I will go into more detail.
Ah, I had read that spec, but I interpreted it as saying that these
things were only true when "secure mode" had been turned on, e.g., while
reading a password, not all the time. I get it now.
But rather than making sure this extension works properly on every X
server, and then modifying those clients that need to take advantage of
it explicitly, and then making sure that all users have upgraded to said
versions of those clients, doesn't it seem a whole lot easier to just
use a firewall and be done with it? It does to me. Everybody
understands firewalls already.
*No* machine can get TCP packets to my machine's X server. When I run X
apps remotely, they come in through ssh. My X server could just as
easily not listen to TCP connections at all: *every* connection to it,
even ones from across the country, come in through domain sockets.
That doesn't address the issue of multi-user machines, of course, but to
hijack a domain socket from another user, you have to have 0wned the
file system, and if you've done that, you've already won anyway.
--
Jamie Zawinski
jwz jwz org http://www.jwz.org/
jwz dnalounge com http://www.dnalounge.com/
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]