xhost +
This allows anyone on the Internet to watch you screen, watch your
keystrokes, gain control of you display, and enter keystrokes and
mouse events as if it were you. Very nasty.
If you haven't changed the defaults, this is what you'll get, unless you've got your own .xsession startup containing a xhost -. But then you'd have to do other .xsession modifications to bring up SGI's default 4Dwm window manager and such. (I have my own .xsession which does this, then invokes fvwm so my X sessions are protected.)
The fix: Edit your system's xdm startup files to comment out the xhost + stuff. Here are the files from our Irix 5.2:
cd /usr/lib/X11/xdm/
grep -n xhost * /dev/null
Xsession:80:/usr/bin/X11/xhost +
Xsession-remote:44:/usr/bin/X11/xhost +
Xsession.dt:159:/usr/bin/X11/xhost +
It would be smart to then verify this. Log out of the console to restart xdm, then log in again. Telnet to some host for which you have not authorized X11 access to your console. Then launch an xclock or something back to the SGI and make sure that the connection gets rejected. Example, after logging into the console for host `apollo':
cshenton@apollo% telnet unauthorized.hq.nasa.gov
Username: chris
Password:
chris@unauthorized% xclock -display apollo.hq.nasa.gov:0
Error: Can't open display: apollo.hq.nasa.gov:0