Jesse I Pollard - CONTRACTOR wrote:
Michael Bender wrote:
Sure, but the user/administrator need to fix whatever configuration
is allowing something like ssh to grab :0 - I don't think that this
is a common use case.
You can't prevent it. If port 6000 is not being used, then any user
application may allocate it.
On Solaris at least, you can mark any port as a privileged port
(both UDP and TCP). Not sure about Linux.
I guess that the issue with 6000 really depends on if the console
X server (that would be the normal X server that uses 6000) starts
up before someone can log in and grab 6000 (by any means). I'm not
sure if there is some code somewhere that sets 6000 as a privileged
port or not.
Anyway, what does this have to do with pcscd?
There is also the issue of when the X server strictly uses the named
socket in /tmp/.X11-unix/X0 and doesn't use socket 6000.
How does the issue of which socket the X server uses affect this
discussion concerning pcscd?
It determines what the X display environment value is. If port 6000
isn't being used, then it becomes :0. If it is being used, then :1
is used.
This is an X server thing. I still don't see what this has to do
with pcscd.
XDM has some minimal configuration that assignes the X display and
X server. If port 6000 is used, then it will not start an X server.
Well sort of - the X server starts, but cannot open it's designated
socket, so it then terminates, XDM then reports a falure to syslog.
OK. What does XDM have to do with pcscd?
You are assuming the user generating the :0 display would be given that
privilege in the first place. He may be attacking the system via the
smartcard reader.
How is that possible?
This is no inherently a problem - It only becomes a problem when you
assume the X display really is on the console.
OK, but what does this have to do with pcscd?
mike
--
[EMAIL PROTECTED] Sun Ray Product Engineering
I don't speak for my employer. My opinions are not necessarily those of
Sun Microsystems, Inc. or any of its wholly-owned subsidiaries.
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
