Bugtraq mailing list archives

Re: XDM Insecurity revisited

From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Thu, 19 Aug 1999 14:36:38 +0100

Digital Unix 4.0E, SuSE Linux 6.1 and Red Hat Linux 6.0 are still
(1.5 years later) shipped with this default Xaccess file. It is somehow
ironic that e.g. SuSE now uses tcpwrappers by default on most TCP
services in it's distribution and describes the use of tcpwrappers in
the manual in a special chapter about security, but fails to close (or
even mention) that way to circumvent login restrictions.


Even more fun, just open 1024 xdcmp sessions with a remote xdm on a low
spec box. Xdm doesnt like this. Gdm at least does damage limitation in
this case.

On the Red Hat side, for a standard Red Hat 6 using gdm not xdm, edit
/etc/X11/gdm.conf and set it to

[xdcmp]
Enable=0

and life is happier.

Current thread:

XDM Insecurity revisited Jochen Bauer (Aug 18)
- Re: XDM Insecurity revisited Martin Schulze (Aug 19)
- Re: XDM Insecurity revisited Thomas Leitner (Aug 19)
- Re: XDM Insecurity revisited Alan Cox (Aug 19)
  - Re: XDM Insecurity revisited Jeremy Buhler (Aug 21)
- Re: XDM Insecurity revisited Dave Plonka (Aug 19)
  - Re: XDM Insecurity revisited Michael Herrmann (Aug 23)
- Announcement [new mailing list] route () RESENTMENT INFONEXUS COM (Aug 19)
- <Possible follow-ups>
- Re: XDM Insecurity revisited Martin K. Petersen (Aug 19)