[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-user
Subject: Re: =?iso-8859-1?Q?Can=B4t?= start programs online.
From: Andreas Pour <pour () mieterra ! com>
Date: 1999-07-28 16:33:12
[Download RAW message or body]
jedd wrote:
> On Wed, 28 Jul 1999, Jesper Krogh wrote:
>
> ] "xhost +" and "xhost +localhost" works
> ] But is there anyone who has a good reason why this have to bee done.
> ] It should not be nessesary ...should it ???
>
> Well, 'should' is a matter of taste. It's generally regarded that
> security should be a higher priority than convenience, and for
> the most part I think that approach is sage.
>
> In my autostart in KDE, I run a script that just does 'xhost +'.
> (I can't do it before KDE (X) starts, because xhost needs to
> talk to a running Xserver, of course.) By doing this, I allow
> any other user of this computer to start programs that will
> display on my monitor. This is considered a security issue,
> and rightly so. I don't want an xterm appearing on a window
> somewhere, finding it, thinking it's mine, and doing an 'su',
> only to have someone's trojan horse capture my root p/w.
>
> (That's the answer to your first question :)
>
> In my instance, and probably in yours too, this is a non-issue,
> since a) I am not connected to a network (very often), and
> b) there are no other valid user accounts on this machine, so
> that style of attack is not possible.
If someone happens to conduct a port scan while you are temporarily
attached to the Internet (using your dial-up ISP, e.g.), and notices that
the X Server port (6000) is available, they can launch all kinds of
attacks, whether or not you have set xhost+, but especially if you have.
If xhost+ is set, an attacker can easily make screendumps, catch
keystrokes and fake keystrokes, all pretty much without you knowing about
it.
Regards,
Andreas Pour
--
Send posts to: kde-user@lists.netcentral.net
Send all commands to: kde-user-request@lists.netcentral.net
Put your command in the SUBJECT of the message:
"subscribe", "unsubscribe", "set digest on", or "set digest off"
All kde mailing lists are archived at http://lists.kde.org
**********************************************************************
This list is from your pals at NetCentral <http://www.netcentral.net/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic