>[…] any
>application which uses the X server (ie. can access the tcp port
>or unix socket and has the correct xauth key […]
The default PF configuration blocks access to the ports, but only on non-loopback interfaces.
Again, I'm not an X11 expert, but it looks like the X auth file exists because anyone can connect to these ports on localhost, so the file would mediate it further. PF can match packets based on UIDs, but if I understand pf.conf(5) correctly, it matches based on the user owning the listening socket (which would be the dedicated X11 account) rather than the user that tries to connect to the X server. The xauth(1) and Xsecurity(7) man pages seem relevant, I'll have a deeper look at them later.
No comments:
Post a Comment