Path: utzoo!mnetor!tmsoft!torsqnt!jarvis.csri.toronto.edu!rutgers!usc!henry.jpl.nasa.gov!elroy.jpl.nasa.gov!ucla-cs!squid!dgreen
From: dgreen@squid.cs.ucla.edu (Dan R. Greening)
Newsgroups: comp.windows.x
Subject: Packet Security Issues.
Message-ID: <27232@shemp.CS.UCLA.EDU>
Date: 19 Sep 89 17:56:14 GMT
Sender: news@CS.UCLA.EDU
Reply-To: dgreen@squid.cs.ucla.edu (Dan R. Greening)
Distribution: comp
Organization: UCLA Computer Science Department
Lines: 30

Hi there.  I would like to use some X11-based performance monitoring tools
on an outside machine from within a rather secure network.  We have a gateway 
connected to the NSFnet.  It currently does not allow X11 packets to cross
its threshold.

The security problem is this:  If I use xhost +hostname, *anyone* on the
host "hostname" can start a Trojan horse program which displays on my machine.

This problem would be resolved if I could specify the user in my xhost
command, or better yet if I could specify the user and program name.  I am
curious about two things:

1. Are there plans to include this sort of security in release 4?

2. Are there hooks in the open-window packets of releases 2 and/or 3 which
   would allow the GATEWAY to do some security checking before forwarding the
   packet to the internal host?

If the answer to number 2 is "yes", has anyone implemented such a gateway
program?  Since a number of government and corporate organizations like to
keep their internal networks secure, but would also like to use X11 tools on
external machines, security seems like a worthy goal.

If the answer to number 2 is "no", can anyone give me some hints on how it
could be done, so that I can pass them on to the gateway people?

Thanks in advance.

Dan Greening  dgreen@cs.ucla.edu  NY 914-789-7620 | 308 Westwood Plaza, Box 117
       	                          CA 213-825-2266 | Los Angeles, CA 90024-1647