X Security: a summary

[Lionel.Cons () CERN CH (Lionel Cons)]

I've written some pages on the web describing different aspects of "X
security". There is nothing really new here but it seems that most
people are unaware of all the kinds of problems they may face. Here is
an example:

>  Joe is a skilled sysadmin with good UNIX security knowledge. His
>  personal workstation is highly protected and his pager gets an alarm
>  when someone tries to portscan any of his machines.  At the end of the
>  day, to relax a bit, he connects to a public server (with ssh of
>  course) using a non-privileged account. He then starts Netscape to
>  enjoy the latest Tamagotchi Java applet. A few minutes later, he hears
>  his local disk spinning while his home directory is being destroyed...
>
>  How can this be possible?
>
>  Exploiting yet another flaw in Java/Netscape, a bad guy gets read
>  access to his non-privileged account. From here, he can connect to the
>  X server on Joe's workstation using the ssh X forwarding
>  capability. He then simply sends "rm -fr ~" to a Tk/Tcl application,
>  locally running on Joe's workstation...

One page describes a program that I wrote (named mxconns) that may
help you to protect your X server.

If you are interested, have a look at
        http://wwwinfo.cern.ch/dis/security/x/

Comments, additions, etc. are welcome!

________________________________________________________
Lionel Cons        http://wwwinfo.cern.ch/~cons
CERN               http://www.cern.ch
-
Hinds' 6th Law of Computer Programming
        Program complexity grows until it exceeds the capability of the
        programmer who must maintain it.