[OpenAFS] ACLs and open-afs

Derrick J Brashear shadow@dementia.org
Fri, 11 Oct 2002 13:16:44 -0400 (EDT)


On Fri, 11 Oct 2002, Friedrich Delgado Friedrichs wrote:

> Everybody who can read your .Xauthority file can connect to your
> running X-Session (remote or local) which means that he can display
> your desktop contents and observe every keystroke you type (i.e. log
> your ssh/afs/Kerberos passwords) if the XFree Ports are open (TCP Port
> 6000 and above). Depending on how your X-Server and other involved
> Software is configured, this opens your account to the whole wide
> world (worst case) or at least (!) to anybody who can log on to your
> machine.
>
> Since xauth and some other software check if ~/.Xauthority is a
> symlink in some cases, it is not as easily possible to use a symlink
> pointing to e.g. ~/.restricted/.Xauthority or something.

Of course the thing you're all neglecting is the bit where unless you have
your AFS traffic encrypted, you already screwed yourself by having
.Xauthority in AFS. OpenSSH used to get it right (put it in the local
filesystem) but managing local files is hard, and OpenSSH went shopping.