Re: Running remote X apps

[Jeffrey Juliano <juliano at cs dot unc dot edu>]

--On Thur, Nov 30, 2000 7:50 PM -0800 acmay@mace.penguinpowered.com wrote:

> I have not dealt with the low level X stuff much, but I believe it
> is possible to write a client that is hard to observer that just
> captures all the keyboard access, and it is pretty easy to do a
> DoS by throwing up a lot of clients, and not to mention things
> you wouldn't want your mother to see. So by just saying other
> clients are "allowed to connect" seems to understatement the
> problem to me. People need to be aware that there are many bad
> things that can happen besides a random X-Client popping up
> a window on their screen.

I'd like to punctuate this point.

When I was an undergrad, I knew someone who'd mess with other people in the 
lab using a trivial program that let him move other people's mouse pointer. 
This X app would create a window on his terinal representing the desktop of 
someone else in the lab who's X-server security settings let my friend 
connect.

A circle would move around in my friend's window as his "victim" moved his 
mouse around.  When my friend clicked in the window, both the circle and 
the victim's mouse pointer would move to the clicked location.  It was 
actually pretty amusing to see a victim get upset at his mouse and 
sometimes move to a different terminal as a result.

Anyway, my point is that instead of listening to mousemove events, my 
friends app could easily have been logging keypresses instead.  Think about 
this next time you type your password.  You don't want to give unwelcome 
people the ability to connect to your X server.

FWIW, there is an option on one of the xterm popup menus for temporarily 
disabling the ability of other apps to listen to your keypresses.  There's 
even a version of xterm that automatically goes into this mode when it sees 
a passwd prompt.  IIRC, when this mode is on you cannot switch focus to 
other apps.

-jeff