grunwald@flute.cs.uiuc.edu (Dirk Grunwald) (07/11/89)
While xwatchwin is a useful utility, it points out some serious flaws
with X11R3 as it stands.
I start an xterm on our 100+ user Encore Multimax -- an do an `xhost' to
allow the max to connect to my server. Thus, I open myself to 100+ possibly
nosy people -- people who might use xwatchwin to decide when to do a
keyset grab to find my password.
I've thought of two fixes for security:
(1) have an alert pop up for each connection
(2) change Xlib to query a local trusted process on XOpenDisplay calls.
The trusted process talks to servers using a privledged TCP port
number reporting, e.g., user name, PID, whatever. The server would
be free to match this using whatever method it would like, possibly
using (1) as a fallback if an access list wasn't matched.
are either of these planned for X11R4?
--
Dirk Grunwald -- Univ. of Illinois (grunwald@flute.cs.uiuc.edu)