The original question was:
> I've run SATAN against a couple of boxes and I get "No X server
> access control" - this is bad. I've logged into that box and
> cleaned out every xhost + I can find - .xinitrc, everything
> in $OPENWINHOME/lib, .xsession, Xsession and anyplace else
> I can find it. But the scan still comes up with the same
> warning. I've read through SATAN perl and it is apparently doing
> it - but I don't see how. Can someone advise me where else this
> ! @
#$%%^#@ is hiding?
______________________________________________________________________________
From: Michel .
Koenen @
asml .
nl (Michel Koenen)
Maybe you start openwin with the -noauth option...
Turn it off and hopefully SATAN will not complain anymore...
From: Tim Wyatt <timw @
paradise .
net>
Forgive me if I simply misinterpreted your posting, but you need to put a
'xhost -' line in one of those files... The default behavior for XFree86
(the only X-server I have any X-pertise in), at least, is open unless
explicitly closed. Hope this helps...
______________________________________________________________________________
From: A .
Chan @
CdnAir .
CA (Alan Chan)
Try looking at:
~user/.cshrc
~user/.login
~user/.profile
~user/.openwin-init
Or if you have the time, try:
cd dir_name
find . -xdev -print -exec grep xhost {} \;
This will take a while and slows down system considerably. This looks
through all files ane search for the string xhost. It will scroll up quickly.
You can dump it to a file and look at it later.
______________________________________________________________________________
From: Steve Lodin <swlodin @
eng .
delcoelect .
com>
Generally, this vulnerability is only discovered if someone is
actually using the X server process and has turned off X server access
control while Satan was scanning.
You might need to have the user log off and log back on again
(restarting the X server in the process). You didn't say, but I
assume it was a Sun workstation. PCs and X terminals are more
difficult to fix sometimes.
______________________________________________________________________________
From: Michael Wright ED23 <michael @
morticia .
msfc .
nasa .
gov>
xhost could also be in the .login or .profile. I keep mine in there to turn
xhost on and then not use it.
______________________________________________________________________________
From: djohnson @
nbserv2 .
dseg .
ti .
com (Danny Johnson 0172547)
as I recall there is some way to fake an xhost by writing some
'skeleton key' kind of entry into your .Xauthority file...
______________________________________________________________________________
|
|
