'Re: =?iso-8859-1?Q?Can=B4t?= start programs online.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-user
Subject:    Re: =?iso-8859-1?Q?Can=B4t?= start programs online.
From:       Andreas Pour <pour () mieterra ! com>
Date:       1999-07-28 16:33:12
[Download RAW message or body]

jedd wrote:

> On Wed, 28 Jul 1999, Jesper Krogh wrote:
>
>  ] "xhost +" and "xhost +localhost" works
>  ] But is there anyone who has a good reason why this have to bee done.
>  ] It should not be nessesary ...should it ???
>
>  Well, 'should' is a matter of taste.   It's generally regarded that
>  security should be a higher priority than convenience, and for
>  the most part I think that approach is sage.
>
>  In my autostart in KDE, I run a script that just does 'xhost +'.
>  (I can't do it before KDE (X) starts, because xhost needs to
>  talk to a running Xserver, of course.)  By doing this, I allow
>  any other user of this computer to start programs that will
>  display on my monitor.  This is considered a security issue,
>  and rightly so.  I don't want an xterm appearing on a window
>  somewhere, finding it, thinking it's mine, and doing an 'su',
>  only to have someone's trojan horse capture my root p/w.
>
>  (That's the answer to your first question :)
>
>  In my instance, and probably in yours too, this is a non-issue,
>  since a) I am not connected to a network (very often), and
>  b) there are no other valid user accounts on this machine, so
>  that style of attack is not possible.

If someone happens to conduct a port scan while you are temporarily
attached to the Internet (using your dial-up ISP, e.g.), and notices that
the X Server port (6000) is available, they can launch all kinds of
attacks, whether or not you have set xhost+, but especially if you have.
If xhost+ is set, an attacker can easily make screendumps, catch
keystrokes and fake keystrokes, all pretty much without you knowing about
it.

Regards,

Andreas Pour

-- 
Send posts to:  kde-user@lists.netcentral.net
 Send all commands to:  kde-user-request@lists.netcentral.net
  Put your command in the SUBJECT of the message:
   "subscribe", "unsubscribe", "set digest on", or "set digest off"

All kde mailing lists are archived at http://lists.kde.org
**********************************************************************
This list is from your pals at NetCentral <http://www.netcentral.net/>

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic