Default local auth policy

James Cloos cloos at jhcloos.com
Mon Mar 16 10:05:19 PDT 2009


>>>>> "Adam" == Adam Jackson <ajax at nwnk.net> writes:

>> While I disagree that storing cookies in $HOME ‘sucks for NFS’,

Adam> I should have clarified.  It sucks because NFS is unencrypted and
Adam> storing your auth cookies there means the whole wire gets to read them.
Adam> If you trust everyone on your local network, great.

Ah, OK.  I was presuming a secure config.  (Or, perhaps, had a fit of
nostalgia. :)

>> Which leaves the interesting question of what should happen if -auth
>> is not specified, but -ac is?

Adam> -ac means "disable access control".

I must've been just barely awake.  While reminding myself of -ac's
purpose, I read "disables host-based access control mechanisms."
and must've only thought about the host-based part....

>> Not to mention whether -nolisten tcp also should be the default?
>> Or perhaps the default only w/o -ac and -auth?

Adam> In the absence of a -listen, that would be unpleasant.  Not that
Adam> you're necessarily wrong.

If the point is to make it easier for the currently typical use case of
a single box acting as both server and host-for-the-clients, where unix-
domain sockets are the norm, tcp sockets may be unnecessary.

In any case, just in case I was ambiguous, +1 to the original idea.

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 1024D/ED7DAEA6


More information about the xorg-devel mailing list