Firewalls: Xceptions to filter rules

Firewalls
(October 1992)

Indexed By Thread: [Previous] [Next]

Subject:	Xceptions to filter rules
From:	"USA::JMA21624" <JMA21624%USA . decnet @ usav01 . glaxo . com>
Date:	15 Oct 92 09:52:00 EST
To:	"firewalls" <firewalls @ GreatCircle . COM>

As some have pointed out, we have to compromise security with users'
needs, and in some cases this means allowing X sessions with outside
nodes.  Hopefully, this means making specific exceptions in the filter
rules, specifying both source and destination node.  
What are the hidden gotchas in doing that?

I talked with someone at Usenix who is using a modified su that does not
work if other hosts have access to the x server, so that you don't give 
away the root password to xkey users.  Sudo, dosu, su, and other utilities
all should test the state of the x server before prompting for a
password.  Are there such modified sources available?  
If not, how difficult is it to add the xhost check?

Is there a forum for X security? 
(or is it down the hall from Military Intelligence?)

- Mac Allen

Indexed By Date	Previous:	Re: How to do proxy ftp? From: Don_Jarmon @ ingr . com
Indexed By Date	Next:	Source routing on Ciscos From: afx @ muc . ibm . de (Andreas Siegert)
Indexed By Thread	Previous:	Re: Reverse and double-reverse IP address lookups as service prerequisites From: Andrew Macpherson (Postmaster) <A . Macpherson @ bnr . co . uk>
Indexed By Thread	Next:	Source routing on Ciscos From: afx @ muc . ibm . de (Andreas Siegert)