.....this is the concluding part of this article....enjoy...
7. Trojan X clients - xlock and X based logins
Can you think of a more suitable program for installing a
password-grabbing trojan horse than xlock? I myself cannot. With a few
lines added to the getPassword routine in xlock.c, the password of
every user using the trojan version of xlock can be stashed away in a
file for later use by an intruder. The changes are so minimal, only a
couple of bytes will tell the real version from the trojan version.
If a user has a writable homedir and a ./ in her PATH environment variable, she is vulnerable to this kind of attack. Getting the password is achieved by placing a trojan version of Xlock in the users homedir and waiting for an invocation. The functionality of the original Xlock is contained in the trojan version. The trojan version
can even tidy up and destroy itself after one succesfull attempt, and the user will not know that his password has been captured.
Xlock, like every password-prompting program, should be regarded with suspicion if it shows up in places it should not be, like in your own homedir.
Spoofed X based logins however are a bit more tricky for the intruder to accomplish. He must simulate the login screen of the login program ran by XDM. The only way to ensure that you get the proper XDM login
program (if you want to be really paranoid) is to restart the X-terminal, whatever key combination that will be for the terminal in question.
8. X Security tools - xauth MIT-MAGIC-COOKIE
To avoid unathorized connections to your X display, the command xauth for encrypted X connections is widely used. When you login, xdm creates a file .Xauthority in your homedir. This file is binary, and readable only through the xauth command. If you issue the command
$ xauth list
you will get an output of:
your.display.ip:0 MIT-MAGIC-COOKIE-1 73773549724b76682f726d42544a684a
display name authorization type key
The .Xauthority file sometimes contains information from older sessions, but this is not important, as a new key is created at every login session. To access a display with xauth active - you must have the current access key.
If you want to open your display for connections from a particular user, you must inform him of your key. He must then issue the command
$ xauth add your.display.ip:0 MIT-MAGIC-COOKIE-1 73773549724b7668etc.
Now, only that user (including yourself) can connect to your display. Xauthority is simple and powerful, and eliminates many of the security problems with X.
9. Concluding remarks
Thanks must go to Anthony Tyssen for sending me his accumulated info on X security issues from varius usenet discussions. I hope someone has found useful information in this text. It is released to the net.community with the idea that it will help the user to understand the security problems concerned with using X windows.
...Hope you all enjoyed it..