Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 592 - standard startx script allows any user to capture X events (and keystroke) from other users' windows
Summary: standard startx script allows any user to capture X events (and keystroke) fr...
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: XFree86
Version: 5.2
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Preston Brown
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 1998-12-26 11:08 UTC by borgia
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 1999-01-18 22:20:47 UTC

Attachments (Terms of Use)

Description borgia 1998-12-26 11:08:13 UTC
Let's suppose I write a transparent X program (or go to
rootshell and get it, it is already there) and that I run it
on a workstation occupied by another user: the program sees
everything he does under X and logs every keystroke on a
file in my home dir.

Things like ssh are pretty useless in this situation... the
solution is to prevent other users from starting X apps on a
server they didn't start and this can be done in two ways:

1) by using xdm, that by default has authentication enabled

2) by modifying startx this way:

--- startx	Thu Nov 26 11:05:11 1998
+++ /usr/X11R6/bin/startx	Thu Nov 26 10:55:37 1998
@@ -44,7 +44,7 @@
 while [ "x$1" != "x" ]; do
     case "$1" in
@@ -58,10 +58,18 @@
 		    clientargs="$clientargs $1"
 		    serverargs="$serverargs $1"
+		    case "$1" in
+			:[0-9]) display="$1" ;;
+		    esac
 		fi ;;
+serverargs="$serverargs -auth $HOME/.Xauthority"
+xauth add $display . $mcookie
+xauth add `hostname -f`$display . $mcookie

 xinit $clientargs -- $serverargs

This problem was also present in RH5.0 and 5.1

Comment 1 landrye 1999-01-15 22:04:59 UTC
You might also consider using the mkxauth package

Comment 2 Preston Brown 1999-01-18 22:20:59 UTC
A patch to use xauth in startx will be posted to the errata site.
However, 5.2 will not incorporate this patch into XFree in an security
update, because many people are not familiar with xauth but only xhost
(no matter how wrong this is) and there will be much complaining from
them if we change this. 6.0 will make the change.

Note You need to log in before you can comment on or make changes to this bug.