[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OpenWindows & magic-cookie

I found the following in the OpenWindows 3.0 buglist file

Bug Id:       1047967
Category:     x11news
SubCategory:  news
Synopsis:     X11 and NeWS security is weak
Public Summary:
        X11/NeWS security is less than ideal.  Issues include:

        - Running X11R3 binaries where the user must turn of
                all security (i.e. "xhost +") thereby opening
                up the server to intrusion.
        - Once a connection is established, there are NeWS
                operators that allow access to the system
                with the permissions of the user who started
                the server.  A side-effect of this is that the
                X11/NeWS server should never be run as root.
        - It is very easy to snoop keystrokes and other user
                events using NeWS interests.

        In general, the per-user authentication (MAGIC COOKIE or SUN-DES-1)
        should never be turned off.  If access to the server is restricted to
        the owner of the OpenWindows session, the X11/NeWS-specific security
        problems are avoided.
Work Around:
        Don't disable the user access control that the environment provides.

To me, this says that the problem is that CLX is not supporting magic-cookie
authentication and therefore not able to connect to the server for the same
reason that the X11R3 programs can't.  It may be the case that Simon's patch
will cause CMUCL to work with OpenWindows.