[Sorry to come with this again] The now closed (DISCARDED) bug #8 happened on our systems even within xdm. I digged a little bit and found out that /etc/X11/xdm/authdir is missing. xdm tries to put its auth files in /usr/X11R6/lib/X11/xdm/authdir which due to symlinks resolves to /etc/X11/xdm/authdir. Someone should include /etc/X11/xdm/authdir in the XFree86 package, otherwise xdm will fall back to xhost authorization. Now we have the -- still -- ill xhost values when starting without xauth. The inital values should (at max) be 'LOCAL:' -- no 'thishost.domain.com' and 'localhost'. And the xhost values (maybe except the LOCAL:) should be resettable by the user, or am I talking nonsens here? I think the lack of /etc/X11/xdm/authdir is due to us not going through the 'official' redhat update procedure but just installing the new rpms on the machines in our pool. Maybe one should advise people to check for this directory on their machines, because the lack of it causes IMO a not negligible security breach. Don't forget to include /etc/X11/xdm/authdir in the next release of XFree. Best wishes, Nils
You are correct that /etc/X11/xdm/authdir is not owned by any package. However, further investigation shows that xdm actually creates the authdir if it is not present when it is first run. Therefore there is no need for it to be owned by the package. When logging in with xdm, on a 5.2 system, this is the default value that I get for xhost: [pbrown@pip xdm]$ xhost access control enabled, only authorized clients can connect which is what I would expect. Users other than myself cannot start X programs. For example, here is what happens if I try to start xclock as root (instead of myself, pbrown): [root@pip xdm]# xclock Xlib: connection to ":0.0" refused by server Xlib: Client is not authorized to connect to Server Error: Can't open display: :0.0 If you get other values from xhost while you are using xdm, you have changed something in your configuration from the default settings.