[Prev][Next][Index][Thread]

Re: XDMCP security?



On Mon, 23 Sep 1996, Ira Abramov wrote:

>I just discovered that taking away the shell from a user (leaving him only
>with pop) won't stop him from getting a shell if he opens an X session
>through XDMCP (i.e. any win95 station and a few freewares :-(

>deleting the users' .xsession is a patial solution, but they can undo
>that, and creating a .xsession owned by root (non-rewritable by the user)
>seems like an awkward solution. ideas anyone?

  This last will not work.

  A user has the privilege to rename a root owned file or directory
inside a directory (the home directory here) that she owns.

alex


Follow-Ups: References: