XDM xhost Security Hole

Some vendors, like SGI, ship their systems such that console logins through X11 Display manager (xdm) invoke:
    xhost +
This allows anyone on the Internet to watch you screen, watch your keystrokes, gain control of you display, and enter keystrokes and mouse events as if it were you. Very nasty.

If you haven't changed the defaults, this is what you'll get, unless you've got your own .xsession startup containing a xhost -. But then you'd have to do other .xsession modifications to bring up SGI's default 4Dwm window manager and such. (I have my own .xsession which does this, then invokes fvwm so my X sessions are protected.)

The fix: Edit your system's xdm startup files to comment out the xhost + stuff. Here are the files from our Irix 5.2:

    cd /usr/lib/X11/xdm/
    grep -n xhost * /dev/null
    Xsession:80:/usr/bin/X11/xhost +
    Xsession-remote:44:/usr/bin/X11/xhost +
    Xsession.dt:159:/usr/bin/X11/xhost +

It would be smart to then verify this. Log out of the console to restart xdm, then log in again. Telnet to some host for which you have not authorized X11 access to your console. Then launch an xclock or something back to the SGI and make sure that the connection gets rejected. Example, after logging into the console for host `apollo':

    cshenton@apollo% telnet unauthorized.hq.nasa.gov

    Username: chris
    Password:

    chris@unauthorized% xclock -display apollo.hq.nasa.gov:0
    Error: Can't open display: apollo.hq.nasa.gov:0

Chris Shenton