Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!apple!snorkelwacker.mit.edu!bloom-beacon!dont-send-mail-to-path-lines
From: rws@expo.lcs.mit.EDU (Bob Scheifler)
Newsgroups: comp.windows.x
Subject: Re: Xkernel and security
Message-ID: <9106091707.AA18361@expire.lcs.mit.edu>
Date: 9 Jun 91 17:07:38 GMT
References: <1991Jun9.154532.26126@Think.COM>
Sender: daemon@athena.mit.edu (Mr Background)
Organization: The Internet
Lines: 27


    Any host that can connect to the X server can perform *any* operation on
    it, including xhost.

This is simply not true.  Please re-read the X protocol specification, and
try most implementations of X.

    /etc/X0.hosts controls what hosts can connect to the X server.

This file specifies an initial set of hosts that can connect to the X server.
It does not (in most implementations) specify what hosts can change the
access control list.  Normally only the host on which the X server is
running can change the access control list, except when XDMCP is used.

    Since the XDM server must be able to connect to the X server, it
    has to be in /etc/X0.hosts, and thus it can xhost it.

This is also untrue.  The xdm host does not need to be in /etc/X0.hosts,
nor does it being in that file permit xhost capability.  The XDMCP Accept
packet sent by xdm contains the authorization information that the X
server should use to accept the connection from xdm.  In the MIT X server
implementation, when XDMCP is used, the X server augments the set of hosts
that can change the access control list to include the xdm host.  This
appeared to be a reasonable approach, since in the normal case of using
XDMCP the X server is a "terminal" with no local clients running, and the
user is logging in to the xdm host, so the xdm host should be the one from
which access control list changes can be made.