Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!usc!apple!agate!ziploc!eps
From: eps@toaster.SFSU.EDU (Eric P. Scott)
Newsgroups: comp.sys.next
Subject: Re: Security Hole?
Message-ID: <1051@toaster.SFSU.EDU>
Date: 15 Dec 90 01:46:33 GMT
References: <49464@cornell.UUCP> <108170004@hpcuhd.HP.COM>
Reply-To: eps@cs.SFSU.EDU (Eric P. Scott)
Organization: San Francisco State University
Lines: 20

In article <108170004@hpcuhd.HP.COM> edwardm@hpcuhd.HP.COM
	(Edward McClanahan) writes:
>Correct me if I am wrong, but doesn't "disabling" Public Window Server merely
>prevent processes running on other NeXT's (etc...) from openning the display
>on my local NeXT and posting a window to it?  I suspect that Public Sound Port
>works the same way.  Neither of these "settings" prevents the case where the
>snooper on a remote machine "logs in" to my NeXT and runs a process on my NeXT
>which attaches to the display or the microphone.

Well, at least as far as 1.0/1.0a go, WRONG!!!

If Public Window Server is disabled, only descendents of
loginwindow (and npd) get in.  Someone who "logs in from a remote
machine" most assuredly DOES NOT (without becoming superuser, and
even then it takes effort)--they simply do not have access rights. 

I can't imagine NeXT relaxing this in 2.0, but I haven't actually
tried.

					-=EPS=-