Path: utzoo!news-server.csri.toronto.edu!rutgers!dimacs.rutgers.edu!mips!swrinde!elroy.jpl.nasa.gov!decwrl!sgi!rpw3@rigden.wpd.sgi.com From: rpw3@rigden.wpd.sgi.com (Rob Warnock) Newsgroups: comp.sys.sgi Subject: Re: 4sight .cutbuffer Message-ID: <91108@sgi.sgi.com> Date: 14 Mar 91 07:44:32 GMT References: <9103131541.AA21424@slic.cellbio.duke.edu> Sender: guest@sgi.sgi.com Reply-To: rpw3@sgi.com (Rob Warnock) Organization: Silicon Graphics, Inc., Mountain View, CA Lines: 55 In article <9103131541.AA21424@slic.cellbio.duke.edu> jit@SLIC.CELLBIO.DUKE.EDU (Jit Keong Tan) writes: +--------------- | Could the future relese of window manager (whatever it is going to be) | fix the side effect that the current copy buffer is store in a file that is | accessible by all other people: | | -rw-rw-rw- 1 root (the buffer file) +--------------- Well, the answer is "yes" and also "no". You see, in the X environment there is no cutbuffer "file" -- the cutbuffer(s) and primary selection buffer are in memory inside the X server, so no one can read them as a file. Also, since the X server gets reset when you log out, the cut/selection buffer(s) don't survive across logins. That was the good news... However, *any* user at *any* host that you permit access to your X server with the "xhost" command can read and write *anything* in your X server, including your selection/cut buffer(s). And that includes any user running on *your* workstation, not just "root". For example, a friend of mine has no password on the "guest" login on his workstation. So... % rcp xselection guest@his_machine:/usr/tmp % rsh his_machine -l guest /usr/tmp/xselection -display :0 PRIMARY / Erase is control-H / Kill is control-U +-{ 42 cd /usr/lib/X11/xdm | \ /usr/lib/X11/xdm | \ 43 ls -l | \ total 13 | +- This is what happens to be in his primary selection buffer. ("xselection" is a publicly-available program, but note that any skilled X programmer could write something like it.) That was the bad news... The really long answer I'll forego here (since I don't even know all the details myself!), but suffice it to say that there are other forms of authentication that can be used besides the simple "xhost", but that's the default. At least the buffers disappear at logout, which is an improvement... -Rob ----- Rob Warnock, MS-1L/515 rpw3@sgi.com rpw3@pei.com Silicon Graphics, Inc. (415)335-1673 Protocol Engines, Inc. 2011 N. Shoreline Blvd. Mountain View, CA 94039-7311