D. Allen [CGL]) (09/25/89)
Just so people around here know the truth about X: >Newsgroups: comp.windows.x >Subject: Re: X and security (or lack there of) >Summary: X is totally devoid of security(almost) Security in X windows is a major problem. This issue was addressed at the Xhibition in a conference which was entitled something like "X security, an oxymoron?". X windows lacks even the normal security (discresionary access conrtol) which is normally provided to objects within the system. Once a host is given access to an X server any user on that host can do anything to the X server. This means that any client can move or delete windows, or capture keystrokes. No special privilege is required to execute any of the X commands. Kerberos is the project Athena attempt at network security, but it does nothing to make X itself more secure. -- -IAN! (Ian! D. Allen) idallen@watcgl.uwaterloo.ca idallen@watcgl.waterloo.edu 129.97.128.64 Computer Graphics Lab/University of Waterloo/Ontario/Canada
jvkelley@watcgl.waterloo.edu (Jeff Kelley) (09/26/89)
The lack of security is a property of current X server implementations. The X protocol requires clients to send an access control string to the server as they attempt to establish a connection. The MIT R3 server simply ignores the string, and the MIT R3 X library sends a null string. Presumably, though, one could use it to distinguish between 'trusted' clients and 'hostile' clients. But then it would be harder to have a multi-player game of 'xconq', now, wouldn't it? -Jeff