Re: vim server ? security hole?
- On 7/28/06, Yakov Lerner <iler.ml@...> wrote:
> On 7/28/06, Nikolai Weibull <now@...> wrote:Well, that's not the same thing. I found this, by the way:
> > On 7/27/06, Bram Moolenaar <Bram@...> wrote:
> > > Vim uses the X server for communication. Only users with write access
> > > to the X server can send a message to Vim. And if you have write
> > > access, you are also able to send keystrokes to another process, thus
> > > you can do anything anyway. E.g., by sending keystrokes to an xterm in
> > > which a shell is running.
> > >
> > > That is, I think it works this way. Perhaps someone with more detailed
> > > knowledge of X server access restrictions can give a better answer.
> > Actually, you have to explicitly allow the sending of synthetic
> > keystrokes to an xterm (the allowSendEvents resource).
> Via 'editres protocol', you can remotely manipulate
> resources of running xterm (because xterm is Xt application).
> I believe that it is possible to turn remotely this
> allowSendEvents of xterm (if one has X server access).
> Unless this allowSendEvents is treated differently than
> other resources; I did not try to write working example.
> I don't care, I always run with 'xhost +'.
> > I don't know,
> > but perhaps Vim "needs" to have something similar.
> Vim has something similar:
> gvim --servername ""
> disables clientserver in gvim.
Still, I really don't think that other users should be able to connect
to a remote Vim.