This is irritating if nothing else. Why should a user be
able to telnet in, type "startx", and affect the console?
As a quick hack around this "Xwrapper" could be modified to
reject the request to start up X unless the process in on a
virtual console (tty1 etc.)
This isn't a real security problem per se. I've had occasion
to use this 'feature' in the past.
If we have time, we may implement a check for if the user is on the
console for 6.0, but it really isn't a security concern. If someone
does this to you, you call them up and get mad at them. :)
If it doesn't make 6.0, it will make post-6.0.
In particular, when this happens, it will be done by pamifying
xwrapper and making it authenticate against pam_console by default.
Then folks can add whatever other authentication they want -- like
pam_time, for example...
OK, I got time I didn't expect so I did this in time for 6.0 :-)
Now sysadmins can set their own policy here without recompiling.
Preston, go ahead and close this once the code is built into our
This will be included in XFree86-126.96.36.199-40 and later.