rjshaw@ramius.llnl.gov (Robert Shaw) (06/08/91)
I have quite a few X kernels, and they work great. I start the display server with the -query option and it contacts xdm without any other administration. To do this however, I have to add the xdm server to the /etc/X0.hosts file in the filesystem that the Xkernel sees - because I use an MIT X11R4 server with access controls *enabled*. MIT X11R4 xhost behaves differently when I do this. It's as though the xdm server is the local host!! In other words, running xhost on the xdm server with -display set to the Xkernel machine works, but xhost on any machine other than the xdm server gives the usual message that xhost only works on the local machine. Why does the display server on the Xkernel allow itself to be xhost'ed remotely from the xdm server? =============================================================================== Rob Shaw rjshaw@ocfmail.llnl.gov ===============================================================================
schoch@starnet.com (Steve Schoch) (06/08/91)
In article <868@llnl.LLNL.GOV> rjshaw@ramius.llnl.gov (Robert Shaw) writes: >with the -query option and it contacts xdm without any other administration. >To do this however, I have to add the xdm server to the /etc/X0.hosts file >in the filesystem that the Xkernel sees - because I use an MIT X11R4 server >with access controls *enabled*. If you have compiled both the X server and xdm with the MIT-MAGIC-COOKIE-1 authorization support (default for X11R4) then you shouldn't need to add the server to your X0.hosts file. Using the XDMCP protocol, the X server should tell xdm that it supports MIT-MAGIC-COOKIE-1, xdm should generate a cookie and give it to the server, and xdm should send that cookie upon each connection to the server. Thus, the xdm server machine does not need to be in the xhost list. >MIT X11R4 xhost behaves differently when I do this. It's as though the >xdm server is the local host!! In other words, running xhost on the xdm >server with -display set to the Xkernel machine works, but xhost on any >machine other than the xdm server gives the usual message that xhost only >works on the local machine. I'm not sure about this, but I think if a client sends a valid cookie (authorization string) when connecting, then that client is allowed to change the access list as if it were a local client. You have a valid cookie on the xdm server machine but you have most likely not copied the cookie to other machines on your network. Thus xhost only works on the xdm server machine. Steve
barmar@think.com (Barry Margolin) (06/09/91)
In article <868@llnl.LLNL.GOV> rjshaw@ramius.llnl.gov (Robert Shaw) writes: >To do this however, I have to add the xdm server to the /etc/X0.hosts file >in the filesystem that the Xkernel sees - because I use an MIT X11R4 server >with access controls *enabled*. >MIT X11R4 xhost behaves differently when I do this. It's as though the >xdm server is the local host!! >Why does the display server on the Xkernel allow itself to be xhost'ed >remotely from the xdm server? Any host that can connect to the X server can perform *any* operation on it, including xhost. /etc/X0.hosts controls what hosts can connect to the X server. Since the XDM server must be able to connect to the X server, it has to be in /etc/X0.hosts, and thus it can xhost it. -- Barry Margolin, Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar
rws@expo.lcs.mit.EDU (Bob Scheifler) (06/10/91)
Any host that can connect to the X server can perform *any* operation on
it, including xhost.
This is simply not true. Please re-read the X protocol specification, and
try most implementations of X.
/etc/X0.hosts controls what hosts can connect to the X server.
This file specifies an initial set of hosts that can connect to the X server.
It does not (in most implementations) specify what hosts can change the
access control list. Normally only the host on which the X server is
running can change the access control list, except when XDMCP is used.
Since the XDM server must be able to connect to the X server, it
has to be in /etc/X0.hosts, and thus it can xhost it.
This is also untrue. The xdm host does not need to be in /etc/X0.hosts,
nor does it being in that file permit xhost capability. The XDMCP Accept
packet sent by xdm contains the authorization information that the X
server should use to accept the connection from xdm. In the MIT X server
implementation, when XDMCP is used, the X server augments the set of hosts
that can change the access control list to include the xdm host. This
appeared to be a reasonable approach, since in the normal case of using
XDMCP the X server is a "terminal" with no local clients running, and the
user is logging in to the xdm host, so the xdm host should be the one from
which access control list changes can be made.mouse@lightning.mcrcim.mcgill.EDU (der Mouse) (06/10/91)
> Any host that can connect to the X server can perform *any* operation > on it, including xhost. Not normally. The protocol document says of the ChangeHosts request, which is the basic mechanism xhost uses to add or remove hosts, ChangeHosts [...] This request adds or removes the specified host from the access control list. When the access control mechanism is enabled and a host attempts to establish a connection to the server, the host must be in this list, or the server will refuse the connection. The client must reside on the same host as the server and/or have been granted permission by a server-dependent method to execute this request (or an Access error results). [...] The MIT server - at least over here! - will refuse xhost requests from other machines when XDMCP is not in use. der Mouse old: mcgill-vision!mouse new: mouse@larry.mcrcim.mcgill.edu
rjshaw@ramius.llnl.gov (Robert Shaw) (06/11/91)
In article <1991Jun8.045152.1509@starnet.com>, schoch@starnet.com (Steve Schoch) writes: |> In article <868@llnl.LLNL.GOV> rjshaw@ramius.llnl.gov (Robert Shaw) writes: |> >MIT X11R4 xhost behaves differently when I do this. It's as though the |> >xdm server is the local host!! In other words, running xhost on the xdm |> >server with -display set to the Xkernel machine works, but xhost on any |> >machine other than the xdm server gives the usual message that xhost only |> >works on the local machine. |> |> I'm not sure about this, but I think if a client sends a valid cookie |> (authorization string) when connecting, then that client is allowed to |> change the access list as if it were a local client. You have a valid |> cookie on the xdm server machine but you have most likely not copied |> the cookie to other machines on your network. Thus xhost only works on |> the xdm server machine. |> |> Steve I've received mail about this (I forget from whom, my apologies...). But first let me mention that the cookie actually is on the other machines on the network because my unique home directory (where the cookie is, in $HOME/.Xauthority) is (auto)mounted wherever I login - that's why I thought this was all kind of weird... Apparently this all happens by design so the "old applications which [don't use magic cookies]" will still work. In other words (if I understand the person correctly) there are applications that don't know how to send cookies, so there needs to be some way of letting them connect to the X kernel. The solution is to use xhost'ing. So the server allows the access list to be modified remotely, but only from the xdm server. Have I got it straight? =============================================================================== Rob Shaw rjshaw@ocfmail.llnl.gov ===============================================================================