XWin and multiple users
Alexander Gottwald
Alexander.Gottwald@s1999.tu-chemnitz.de
Tue May 25 00:51:00 GMT 2004
Kris Thielemans wrote:
>
> >
> > user startup $DISPLAY file in /tmp
> > -----------------------------------------------------------
> > Alice XWin :0 $OPTIONS localhost:0.0 /tmp/.X11-unix/X0
> > Bob XWin :1 $OPTIONS localhost:1.0 /tmp/.X11-unix/X1
>
> thanks!
>
> this brings me to the security scare that I mentioned a few months ago.
> Isn't it a bit strange/unsafe that /tmp/.X11-unix/X0 has read/write
> permissions for everybody? I observed that user A can (accidentally) launch
> an xterm on the display of user B (who launched XWin with that display), and
> so expose everything he (i.e. user A) has on that machine. Worse, he could
> maliciously put some X stuff on the display of the other. (Maybe even read
> some stuff?)
>
> why not set /tmp/.X11-unix/X0 etc to owner access only?
There is a second security layer builtin to X11. You can start XWin with the
-auth option and XWin reads authentication options from this file. Then only
clients are allowed to connect who know these credentials.
So the secure way is to
(1) create credentials
(2) store them in a file readable only to you
(3) add them to ~/.Xauthority
(4) start XWin -auth <file from 2>
(5) only xterm which has read access to ~/.Xauthority can connect
This has been discussed some time ago in the mailinglist and afair there are small
scripts available. Search the archives for md5sum. This should bring up some of them.
also seee man xauth, Xsecurity, Xserver for more details
bye
ago
NP: Allied Vision - Coaxial Hardware
--
Alexander.Gottwald@informatik.tu-chemnitz.de
http://www.gotti.org ICQ: 126018723
More information about the Cygwin-xfree
mailing list