[Bug 296604] Re: Sugar-Emulator has no access control

[mungewell]

A quick fix for this would be to use the Xauth file of the
running/calling user.

The emulator.py should call 'xauth add <$display> . <random 128bit/32hex
char>', and then Xephyr can be called without the '-ac' flag.

The Xephyr server still listens on the TCP/IP ports, but does not allow
others to connect unless they have imported the same key to their Xauth
file.

Simon.

-- 
Sugar-Emulator has no access control
https://bugs.launchpad.net/bugs/296604
You received this bug notification because you are a member of Sugar
Team, which is subscribed to sugar in ubuntu.

Status in “sugar” source package in Ubuntu: New

Bug description:
Binary package hint: sugar

Sugar-Emulator uses the '-ac' flag in the Xephyr command line, with turns off access control. 

This means that anyone on the network can attach to the display/keyboard/mouse and interfer with the operation of Sugar (such as running xeyes, which goes full screen and can not be cancelled!).

With Xephyr on display :1
--
simon at destiny:~$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:6001            0.0.0.0:*               LISTEN         
tcp6       0      0 :::6001                 :::*                    LISTEN  
--

Simon.