[PATCH] tcp-wrappers support extended to x11 forwards

Dan Astoorian djast at cs.toronto.edu
Thu Nov 29 03:20:10 EST 2001


On Wed, 28 Nov 2001 07:30:15 EST, Damien Miller writes:
> > 
> > I haven verified the need for this, I've been listening comments
> > on this list related to the forwarded X11 ports.  I've understood
> > that if you use localhost:x.y as your display some (missbehaving)
> > applications will break.

FWIW, the problem is with Xlib, not the applications themselves.  Not
that it matters.

> Have you actually verified this? and checked whether the 
> IPADDR_IN_DISPLAY workaround that we already have in place 
> (see channels.c) avoids it?

The code which optimizes loopback connections to unix-domain sockets is
(typically) keyed off of the IP address, not the name "localhost"; I
doubt that IPADDR_IN_DISPLAY could make any difference.

The Solaris 2.5.1 source (which is merely the closest reference I have
at hand) has several source files (e.g., MakeTCPConnection() in
XConnDis.c) which contain the comment:

    /*
     * We are special casing the BSD hack localhost address
     * 127.0.0.1, since this address shouldn't be copied to
     * other machines.  So, we simply omit generating the auth info
     * since we set it to the local machine before calling this routine!
     */

followed immediately by the following code or something very similar
thereto:

    if (!((len == 4) && (cp[0] == 127) && (cp[1] == 0) &&
          (cp[2] == 0) && (cp[3] == 1))) {
	    /*...*/

I'd need to look deeper, but I don't think there's that much of a
difference between X over unix domain sockets vs. TCP, once the file
descriptor has been established; the same routines that handle an X
connection to TCP port 6000+dpy would probably work with little
modification with a unix socket.

If the OpenSSH maintainers agree that supporting Unix sockets--assuming
that doing so doesn't complicate the code significantly--may be the best
solution to this problem, I'd be willing to explore this further.

-- 
Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast at cs.toronto.edu        not, it's better to have loved and won.  All
www.cs.toronto.edu/~djast/  the other options really suck.    --Dan Redican



More information about the openssh-unix-dev mailing list