| 1 |
-Y still uses an .Xauthority so that isn't a surprise. |
| 2 |
> MIT-MAGIC-COOKIE security is used by both -X and -Y, which is what |
| 3 |
> this file is used for. |
| 4 |
> |
| 5 |
|
| 6 |
> The difference between -X and -Y is in providing a layer of security |
| 7 |
> so that remote clients can't play games like keyboard sniffing with |
| 8 |
> your local X server. |
| 9 |
> |
| 10 |
|
| 11 |
I had conflated those extra checks with .Xauthority. |
| 12 |
|
| 13 |
How would the keyboard sniffing attack work? Since everything over the |
| 14 |
network is made confidential by ssh, i'm guessing the attack would be by a |
| 15 |
local user on the ssh client/X server box somehow? |
| 16 |
|
| 17 |
|
| 18 |
Whether this ought to be a default was apparently a debate over a |
| 19 |
> decade ago, when the USE flag was at least added to make it possible. |
| 20 |
> I haven't used it in a while though so I can't vouch for whether there |
| 21 |
> are any issues with -X when the USE flag is enabled to build the |
| 22 |
> extension. |
| 23 |
> |
| 24 |
> https://bugs.gentoo.org/237778 |
| 25 |
> |
| 26 |
> |
| 27 |
I can see gentoo disables xcsecurity by default because upstream does. |
| 28 |
I'll just stick with -Y then. |
| 29 |
|
| 30 |
thanks |
Archives