COMMAND

    vuefile, vuepad, dtfile, dtpad

SYSTEMS AFFECTED

    HP9000 Series 700/800s running HP-UX releases 9.X and 10.X

PROBLEM

    Users can inadvertently allow access to their accounts by  running
    vuefile, vuepad, dtfile, or dtpad to displays they do not control.
    Users  can  gain  privileges  since  vuefile,  vuepad, dtfile, and
    dtpad do  not authenticate  users.   Care must  be taken to insure
    that only one user per Xserver runs these programs.

SOLUTION

    Recommended solution  by HP  is following.   Inform users  so that
    they can  avoid the  situation.   They should  never run  vuefile,
    vuepad, dtfile,  or dtpad  while su'd  to another  account.   They
    also should never run these programs with the display directed  to
    another Xserver unless  they are logged  into that Xserver  in the
    same account.

    One way to make it more difficult  for a user to su and run  these
    programs is  to enable  per user  authorization.   This eliminates
    the potential for a user to run the programs on the wrong  display
    by accidentally mistyping the display name.

    Per-user authorization is the default in  CDE.  In Vue, it can  be
    enabled in /usr/vue/config/Xconfig:

    #  To enable R4 MIT-MAGIC-COOKIE-1 per-user authorization.
    #
    Vuelogin*authorize:         True

    Note that if per-user  authorization is not enabled  many security
    breaches are possible.  For example, it is possible for a  program
    to capture  keystrokes typed  on the  Xserver.   The root user can
    circumvent the per-user authorization and non-root users can  give
    the Xauthority away.  So all users still must be aware not to  run
    vuefile, vuepad, dtfile, or dtpad as described above.