Re: Problem starting a remote session...
Re: Problem starting a remote session...
- Subject: Re: Problem starting a remote session...
- From: "Mark J. Reed" <email@hidden>
- Date: Mon, 10 Oct 2005 21:40:14 -0400
On 10/10/05, Roch M. Comeau <email@hidden> wrote:
> story), what is the difference between -X and -Y (X11 forwarding vs.
> trusted X11 forwarding) and why this has been flaky on Tiger (what
> changed).
The difference between -X and -Y is the amount of trust given to X11
clients using the forwarded connection. -X is called "untrusted X11
forwarding" because the clients connecting through the tunnel are
"untrusted" by the X server - they have only limited access, and can't
do things like snoop on X events sent to other applications. In
contrast, trusted X11 forwarding via -Y means "trust all clients
connecting through this tunnel completely". It's the more dangerous
option, but also the more reliable. That's because privilege
separation in X display access is a recent development; it was
traditionally all-or-nothing. So many X applications which were
written before the advent of the privilege-separation model (or which
were written by developers unfamiliar with it) will fail if they don't
have full access, even though they don't actually need full access to
function.
So the recommendation is: try -X first, and then, only if you find
that something you need to run is broken, switch to -Y. If security
is really a concern, fire up a subdisplay using xnest and run your
remote clients connected to that rather than your main display.
I'm afraid I don't know anything about the specific changes in OS X
from Panther to Tiger or within Tiger subreleases that are related to
all of this.
--
Mark J. Reed <email@hidden>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
X11-users mailing list (email@hidden)
This email sent to email@hidden