[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RP] Using q as ratpoison escape character disables <ctrl+q> (<ctrl+
|
From: |
Cameron Patrick |
|
Subject: |
Re: [RP] Using q as ratpoison escape character disables <ctrl+q> (<ctrl+q>+q) |
|
Date: |
Tue, 26 Apr 2005 16:49:25 +0800 |
|
User-agent: |
Mutt/1.5.6+20040907i |
On Tue, Apr 26, 2005 at 08:56:50AM +0200, Thibault Hild wrote:
> So no big deal as long as everybody is nice behind the firewall ;).
More or less, but not quite:
- Most X servers only listen to local connections anyway, so even with
no firewall you should be okay. However, it does mean that root on
the machine your X server or X clients are running on can
potentially type in your Xterms. That's not _such_ a big deal, when
you realise that if they've got control of your X desktop, you're
probably sunk anyway. Amongst other things, they could start a
programme to just log all of the key strokes, and wait for you to
type a password or credit card number or other such.
- Even if your X server _is_ listening for TCP connections to the
world, it'll require authentication before anyone can do stuff
anyway. Generally this authentication would involve stealing a key
file from your home directory; i.e. if someone has root on the
machine where your /home is, they can steal your X sessions. Again,
not such a biggie, because if someone has access to your /home,
you're screwed in many other ways already. You can also use xhost
to allow any connections from particular remote machines. Don't do
that, it's bad. Generally the best and most painless approach for
remote X is to use SSH forwarding.
- SSH has a feature called X forwarding (enabled by `ssh -X
machinename`; you can also switch it on and off by default on a
per-machine basis in the ssh config files; also for paranoia-related
reasons, Debian ships with ssh servers which don't support this at
all unless you edit /etc/ssh/sshd_config). If you ssh into another
machine with X forwarding switched on, that's effectively given your
account on the other machine full access to your X display. Because
of the Unix permissions mechanism, it also gives root on the remote
machine full access to your X session.
So the moral of this story is, never let any machine near your X
display unless you have root access, or trust completely the people
who do.
Cameron.
signature.asc
Description: Digital signature