Bugtraq mailing list archives

xcrowbar

From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Wed, 11 Jan 1995 13:54:20 -0500

What's xcrowbar, and how does it "turn[] off the authority
mechanisms altogether"?  In my experience, only clients running on
the local host, or the xdm host if the server was started with xdm,
can fiddle with the access control mechanisms.

As for only the local host or xdm host being able to "fiddle with the
access control mechanism", I highly doubt that the statement is true.
X servers (well, at least the distributed ones) don't pay any special
attention to whether a client is local or remote.


Then someone's broken things rather severely in the last year or two.
Back in the R4 days (which was when I kinda dropped out of touch with
current X), the server _did_ pay attention for purposes of access
control.  The R4 protocol document's description of the
SetAccessControl request is

        SetAccessControl
        
          mode: {Enable, Disable}
        
          Errors: Access, Value
        
        This request enables or disables the use of the access control
        list at connection setups.
        
        The client must reside on the same host as the server and/or
        have been granted permission by a server-dependent method to
        execute this request (or an Access error results).

Now, of course, the "server-dependent method" could simply be to grant
access to all clients, so what you describe would not, technically, be
a protocol violation.  But go look through
mit/server/os/4.2bsd/access.c in the R4 distribution and you'll see
that at least back then, it did pay attention; various things call
AuthorizedClient().  If you find a server that doesn't, I would
recommend sending a critical security bug report to its source (vendor,
or the Consortium if you're using Consortium servers).  And then pester
them until they fix it!

What I do, to get the convenience of "xhost -" without giving up
quite as much security, is I run a front-end program [...]

I don't suppose the program you run is freely available someplace?


Anonymous ftp to collatz.mcrcim.mcgill.edu, cd /X, do a dir of xconns*
and fetch whatever you think looks interesting.  (Ask for .gz files if
possible, please, to reduce demands on my poor slow netlink....)

It really needs work, though.  It should do at least minimal
monitoring, it should use IDENT, etc....

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu

Current thread:

Re: Xwindows security? der Mouse (Jan 06)
- Re: Xwindows security? Bennett Todd (Jan 09)
  - Re: Xwindows security? Benjamin Fried (Jan 10)
    - Re: Xwindows security? Jon Peatfield (Jan 10)
    - Re: Xwindows security? Rens Troost (Jan 11)
    - Re: Xwindows security? Jon Peatfield (Jan 11)
    - Re: Xwindows security? Rens Troost (Jan 11)
    - Re: Xwindows security? Jon Peatfield (Jan 11)
    - xcrowbar William McVey (Jan 11)
    - xcrowbar der Mouse (Jan 11)
    - Re: Xwindows security? Dave Kinchlea (Jan 11)
    - Re: Xwindows security? Adam Shostack (Jan 11)
    - Re: Xwindows security? Darren Reed (Jan 11)
    - Re: Xwindows security? Jim McCoy (Jan 11)
    - Re: Xwindows security? Julian Assange (Jan 13)
    - Re: Xwindows security? Timothy Newsham (Jan 11)
    - about /usr/etc/chill *Hobbit* (Jan 11)
    - mountd keeps vanishing (!) Eric Berggren (Jan 11)
    - Re: mountd keeps vanishing (!) Eric Kimminau (Jan 12)
    - Re: mountd keeps vanishing (!) Karl Strickland (Jan 12)

(Thread continues...)