[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
OpenWindows & magic-cookie
I found the following in the OpenWindows 3.0 buglist file
Bug Id: 1047967
Synopsis: X11 and NeWS security is weak
X11/NeWS security is less than ideal. Issues include:
- Running X11R3 binaries where the user must turn of
all security (i.e. "xhost +") thereby opening
up the server to intrusion.
- Once a connection is established, there are NeWS
operators that allow access to the system
with the permissions of the user who started
the server. A side-effect of this is that the
X11/NeWS server should never be run as root.
- It is very easy to snoop keystrokes and other user
events using NeWS interests.
In general, the per-user authentication (MAGIC COOKIE or SUN-DES-1)
should never be turned off. If access to the server is restricted to
the owner of the OpenWindows session, the X11/NeWS-specific security
problems are avoided.
Don't disable the user access control that the environment provides.
To me, this says that the problem is that CLX is not supporting magic-cookie
authentication and therefore not able to connect to the server for the same
reason that the X11R3 programs can't. It may be the case that Simon's patch
will cause CMUCL to work with OpenWindows.