Hacker News new | ask | show | jobs
by anonymouz 4768 days ago
And when the stuff was originally written, this was probably not considered to be a "security boundary" in the sense that the client will have higher privileges than the server. As the email notes, this happens rather rarely.
1 comments
lawnchair_larry 4768 days ago
Actually it was more common back then. Remember, "client" and "server" are backwards in the context of X. A "thin client" actually runs an X Server, and you remotely launch an xterm on the central server as an "x client", exported to your display.

However, as the email states, this only gets you the same access your user already had on the remote system, unless it's a setuid program. The canonical example and only one I can think of off the top of my head is xscreensaver or xlock. There are now GUI versions of su/sudo that would also be targets, but I don't think variants of these were used back when this topology was common.

link
mprovost 4767 days ago
This is a good read about how jwz coded xscreensaver to be secure and the pitfalls of using GUI toolkits:

http://www.jwz.org/xscreensaver/toolkits.html

link