Date: Wed, 23 Oct 2002 12:36:32 +0900
From: Jun-ichiro itojun Hagino <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
| another example of complication due to the scoped address.
| (previous example was FTP)
FTP in general is an interesting case to look at (though as people use
it in practice, with 3-way FTP prohibited, it turns out to be no different
than anything else), but ...
| X uses xhost(1) to control accesses to X server. For instance,
| % xhost +10.1.1.1
isn't really interesting at all. xhost is an administrative tool for
controlling the server. Any addresses involved are clearly in the
context of the X server - they're used only to compare the source of
incoming connections. Whether or not the address means anything, be
it the same thing or a different one, at the client (where the xhost
command is run), or nothing at all, is really irrelevant.
There's certainly an issue of translating names to addresses in the
context of the server, at some other location, but that's really the
only issue.
Where the X server lives only in one zone (or each scope) there's no
scoping issues at all really. Where it lives in more than one, then
technically, one would want to allow the server to accept connections
from fe80:;1 in zone 1, but not fe80::1 in zone 2. There's no way for
xhost to accomplish that (I expect, without looking at how X has been
extended to permit v6 addresses - if done properly, there would be room
there for a scope identifier) but this could just be added on as yet
another limitation of the xhost "authentication" mechanism - allowing
connections from one address, would also allow connections from other
clients that have the same address, in other zones that can reach the
X server. Big deal .... xhost is trash that no-one who actually cares
about real access control of their X servers uses anyway.
| one possible solution would be to make xhost(1) transmit addresses
| as a string, and let X server decode it. even so, the user of xhost(1)
| has to know the view of the scope on the machine running X server.
Yes. Anyone running xhost should understand the context of the X server.
That's beyond doubt, address scopes are just one more issue that needs to
be understood (and one more reason to discard xhost completely).
kre
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
