Bugtraq mailing list archives
Re: Xwindows security?
From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Fri, 6 Jan 1995 08:09:43 -0500
I had a program a couple years ago that would allow a user to connect to an Xwindow server so you could see what was being keyed in. But I have misplaced it, does anyone have pointers to archive site? I want to show our management that our firewall should NOT allow X-window traffic from the Internet unless it is TIGHTLY controlled.
It's not hard to write such a program. Just walk the window tree, selecting for KeyPress and SubstructureNotify on all windows, printing out keypresses and using window creation to trigger more event selection. However, this is not really a problem. X contains authorization mechanisms to control who is allowed to connect to the server at all. These can be disabled (in keeping with "tools not rules"); if your users insist on doing so, there is some security danger - but it's a people problem, not a technical problem. As is so often the case, the way to attack this problem is by educating people, thus making them understand why they want to be careful and what mechanisms are available to allow them to do so, rather than imposing technical restrictions that are easy to get around and, since they don't teach anyone _why_ they're there, just incite people to do so. Your firewall is not really capable of identifying "X-window" (by which I assume you mean The X Window System[%]) traffic. The most it can do is refuse traffic to the port number usually used for X display 0, perhaps with display 1 or 2 added for good measure. But your firewall is not really in a position to keep someone from starting a server using (say) port 7654 and telling remote apps to use hostname:1654. [%] "It's a window system called X, not a system called X-window." der Mouse mouse () collatz mcrcim mcgill edu
Current thread:
- Re: Xwindows security? der Mouse (Jan 06)
- Re: Xwindows security? Bennett Todd (Jan 09)
- Re: Xwindows security? Benjamin Fried (Jan 10)
- Re: Xwindows security? Jon Peatfield (Jan 10)
- Re: Xwindows security? Rens Troost (Jan 11)
- Re: Xwindows security? Jon Peatfield (Jan 11)
- Re: Xwindows security? Rens Troost (Jan 11)
- Re: Xwindows security? Jon Peatfield (Jan 11)
- xcrowbar William McVey (Jan 11)
- xcrowbar der Mouse (Jan 11)
- Re: Xwindows security? Dave Kinchlea (Jan 11)
- Re: Xwindows security? Benjamin Fried (Jan 10)
- Re: Xwindows security? Bennett Todd (Jan 09)