Re: Xwindows security?

[mouse () Collatz McRCIM McGill EDU (der Mouse)]

> I had a program a couple years ago that would allow a user to connect
> to an Xwindow server so you could see what was being keyed in.  But I
> have misplaced it, does anyone have pointers to archive site?  I want
> to show our management that our firewall should NOT allow X-window
> traffic from the Internet unless it is TIGHTLY controlled.

It's not hard to write such a program.  Just walk the window tree,
selecting for KeyPress and SubstructureNotify on all windows, printing
out keypresses and using window creation to trigger more event
selection.

However, this is not really a problem.  X contains authorization
mechanisms to control who is allowed to connect to the server at all.
These can be disabled (in keeping with "tools not rules"); if your
users insist on doing so, there is some security danger - but it's a
people problem, not a technical problem.  As is so often the case, the
way to attack this problem is by educating people, thus making them
understand why they want to be careful and what mechanisms are
available to allow them to do so, rather than imposing technical
restrictions that are easy to get around and, since they don't teach
anyone _why_ they're there, just incite people to do so.

Your firewall is not really capable of identifying "X-window" (by which
I assume you mean The X Window System[%]) traffic.  The most it can do
is refuse traffic to the port number usually used for X display 0,
perhaps with display 1 or 2 added for good measure.  But your firewall
is not really in a position to keep someone from starting a server
using (say) port 7654 and telling remote apps to use hostname:1654.

[%] "It's a window system called X, not a system called X-window."

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu