Bugtraq mailing list archives
Re: X11 cookie hijacker
From: okir () MONAD SWB DE (Olaf Kirch)
Date: Thu, 5 Nov 1998 09:06:37 +0100
On Tue, 03 Nov 1998 18:13:54 +1100, David Dawes wrote:
I assume from this list that you don't have a real solution? We've all seen the "potential" solutions before. The problem doesn't still exist because nobody cares about it. It still exists because nobody has, to my knowledge, found a real solution to it.
I consider a solution that leaves my X session open to eavesdropping and manipulation worse than a hack that's advertised as breaking some minor things but going to go away as soon as a better solution is found. Second, not all approaches necessarily break things. 1. Unix domain sockets could easily abandoned with, provided XOpenConnection clandestinely maps "unix:0" to "localhost:0". 2. If making /tmp/.X11-unix mode 711 breaks servers that are not setuid root, why not at least protect the ones that are? How many X servers typically get installed on a single machine? AFAIK, most Unix vendors have been able to come up with a solution. Not a universal one, but one that works for their servers, and apparently doesn't break XOpenConnection big time. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
Current thread:
- X11 cookie hijacker Pavel Kankovsky (Nov 02)
- SSHD Exploit Justin Foutts (Nov 01)
- ISS Security Advisory: BMC PATROL File Creation Vulnerability X-Force (Nov 02)
- Re: X11 cookie hijacker David Dawes (Nov 02)
- Re: X11 cookie hijacker Alan Cox (Nov 03)
- Re: X11 cookie hijacker Olaf Kirch (Nov 05)
- [rootshell] Security Bulletin #25 Aleph One (Nov 03)
- Re: X11 cookie hijacker Willy TARREAU (Nov 04)
- Re: X11 cookie hijacker Casper Dik (Nov 04)
- <Possible follow-ups>
- Re: X11 cookie hijacker der Mouse (Nov 04)
- Regarding the reported DOS against the internal interface of a WatchGuard Rapid Response (Nov 04)
- IE 4.x does not appear to save custom security settings John Schultz (Nov 04)
- Re: X11 cookie hijacker David Dawes (Nov 04)
- xlock mishandles malformed .signature/.plan Aaron Campbell (Nov 04)
- Making xlock setuid root Stefan Rompf (Nov 06)