Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!lll-winken!llnl!ramius.llnl.gov!rjshaw From: rjshaw@ramius.llnl.gov (Robert Shaw) Newsgroups: comp.windows.x Subject: Re: Xkernel and security Message-ID: <870@llnl.LLNL.GOV> Date: 10 Jun 91 17:39:37 GMT References: <868@llnl.LLNL.GOV> <1991Jun8.045152.1509@starnet.com> Sender: news@llnl.LLNL.GOV Reply-To: rjshaw@ramius.llnl.gov (Robert Shaw) Organization: Lawrence Livermore National Laboratory Lines: 36 In article <1991Jun8.045152.1509@starnet.com>, schoch@starnet.com (Steve Schoch) writes: |> In article <868@llnl.LLNL.GOV> rjshaw@ramius.llnl.gov (Robert Shaw) writes: |> >MIT X11R4 xhost behaves differently when I do this. It's as though the |> >xdm server is the local host!! In other words, running xhost on the xdm |> >server with -display set to the Xkernel machine works, but xhost on any |> >machine other than the xdm server gives the usual message that xhost only |> >works on the local machine. |> |> I'm not sure about this, but I think if a client sends a valid cookie |> (authorization string) when connecting, then that client is allowed to |> change the access list as if it were a local client. You have a valid |> cookie on the xdm server machine but you have most likely not copied |> the cookie to other machines on your network. Thus xhost only works on |> the xdm server machine. |> |> Steve I've received mail about this (I forget from whom, my apologies...). But first let me mention that the cookie actually is on the other machines on the network because my unique home directory (where the cookie is, in $HOME/.Xauthority) is (auto)mounted wherever I login - that's why I thought this was all kind of weird... Apparently this all happens by design so the "old applications which [don't use magic cookies]" will still work. In other words (if I understand the person correctly) there are applications that don't know how to send cookies, so there needs to be some way of letting them connect to the X kernel. The solution is to use xhost'ing. So the server allows the access list to be modified remotely, but only from the xdm server. Have I got it straight? =============================================================================== Rob Shaw rjshaw@ocfmail.llnl.gov ===============================================================================