[Sorry to come with this again]
The now closed (DISCARDED) bug #8 happened on our systems
even within xdm. I digged a little bit and found out that
/etc/X11/xdm/authdir is missing. xdm tries to put its auth
files in /usr/X11R6/lib/X11/xdm/authdir which due to
symlinks resolves to /etc/X11/xdm/authdir. Someone should
include /etc/X11/xdm/authdir in the XFree86 package,
otherwise xdm will fall back to xhost authorization. Now we
have the -- still -- ill xhost values when starting without
xauth. The inital values should (at max) be 'LOCAL:' --
no 'thishost.domain.com' and 'localhost'. And the xhost
values (maybe except the LOCAL:) should be resettable by the
user, or am I talking nonsens here?
I think the lack of /etc/X11/xdm/authdir is due to us not
going through the 'official' redhat update procedure but
just installing the new rpms on the machines in our pool.
Maybe one should advise people to check for this directory
on their machines, because the lack of it causes IMO a
not negligible security breach. Don't forget to include
/etc/X11/xdm/authdir in the next release of XFree.
You are correct that /etc/X11/xdm/authdir is not owned by any
package. However, further investigation shows that xdm actually
creates the authdir if it is not present when it is first run.
Therefore there is no need for it to be owned by the package.
When logging in with xdm, on a 5.2 system, this is the default value
that I get for xhost:
[pbrown@pip xdm]$ xhost
access control enabled, only authorized clients can connect
which is what I would expect. Users other than myself cannot start X
programs. For example, here is what happens if I try to start xclock
as root (instead of myself, pbrown):
[root@pip xdm]# xclock
Xlib: connection to ":0.0" refused by server
Xlib: Client is not authorized to connect to Server
Error: Can't open display: :0.0
If you get other values from xhost while you are using xdm, you have
changed something in your configuration from the default settings.