Newsgroups: comp.windows.x
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!ames!bart!schoch
From: schoch@starnet.com (Steve Schoch)
Subject: Re: Xkernel and security
Message-ID: <1991Jun8.045152.1509@starnet.com>
Reply-To: schoch@bart.starnet.com (Steve Schoch)
Organization: Starnet Communication Corporation, Santa Clara, CA
References: <868@llnl.LLNL.GOV>
Date: Sat, 8 Jun 1991 04:51:52 GMT

In article <868@llnl.LLNL.GOV> rjshaw@ramius.llnl.gov (Robert Shaw) writes:
>with the -query option and it contacts xdm without any other administration.
>To do this however, I have to add the xdm server to the /etc/X0.hosts file
>in the filesystem that the Xkernel sees - because I use an MIT X11R4 server
>with access controls *enabled*.

If you have compiled both the X server and xdm with the MIT-MAGIC-COOKIE-1
authorization support (default for X11R4) then you shouldn't need to add
the server to your X0.hosts file.  Using the XDMCP protocol, the X server
should tell xdm that it supports MIT-MAGIC-COOKIE-1, xdm should generate
a cookie and give it to the server, and xdm should send that cookie upon
each connection to the server.  Thus, the xdm server machine does not
need to be in the xhost list.

>MIT X11R4 xhost behaves differently when I do this. It's as though the 
>xdm server is the local host!! In other words, running xhost on the xdm
>server with -display set to the Xkernel machine works, but xhost on any
>machine other than the xdm server gives the usual message that xhost only
>works on the local machine.

I'm not sure about this, but I think if a client sends a valid cookie
(authorization string) when connecting, then that client is allowed to
change the access list as if it were a local client.  You have a valid
cookie on the xdm server machine but you have most likely not copied
the cookie to other machines on your network.  Thus xhost only works on
the xdm server machine.

	Steve