From: jmaxwell@csugrad.cs.vt.edu (Jon A. Maxwell) Newsgroups: comp.security.unix Subject: X Windows Security Date: 31 Aug 1995 01:52:14 -0400 Organization: Virginia Tech Computer Science Dept, Blacksburg, VA Lines: 286 Message-ID: <423ime$c8t@csugrad.cs.vt.edu> NNTP-Posting-Host: csugrad.cs.vt.edu I found a couple problems with X, and posted them to comp.windows.x, but didn't think to crosspost them here! ] XGrabKeyboard() works fine for stopping key events from being send to other clients, but the other clients can still use XQueryKeymap() to determine the state of the keyboard. A program can poll the keyboard and find out what is being typed even in 'secure' mode or xterm or the xdm login window. ] XChangeKeyboardMapping() can be used to trick the X system and clients into having anything as keyboard input. This is done by making all keys on the keyboard map to the same thing --what you want the next keystroke to be! Both of these are not problems so long as the X server is configured properly so as to refuse connections from other people. It is very important to set up your X windows properly! Otherwise you might as well not even have a password on your account! Below are two uuencoded programs, each demonstrates one of the above, but they've only been tested on a DECstation and an AlphaStation. -- thur Mail Address: LordArthur@vt.edu or jmaxwell@vt.edu n r a JAMax "All that we see or seem h o w Is but a dream within a dream." tan lle --Edgar Allan Poe