On a far more unhappy note, ending your session is probably the nicest
thing they could do. If someone has access to your X display, they
also have control of the resource database for your session, which
contains all of the attributes assigned to that session. One of these
attributes (AllowSendEvents), controls the receiving of events from
a process foreign to the current event in question. I.E., when a window
is created, it reads information from RESOURCE_MANAGER and
SCREEN_RESOURCES via xrdb, which contains these attributes (like
AllowSendEvents). Unfortunately, when someone has r/w access to your
display, they have r/w access to the database, and therefore, all
of your attributes. All one needs to do at this point is
manually utilize xrdb retrieve a copy of the database, modify
AllowSendEvents: true, reupload the database, and wait for
a user to launch another xterm (so the new attributes can take
effect). It is then trivial to write an xevent interjection tool,
to send "xterm -display IAMAMEANMANONAMEANHOST:0.0" to the window
based on window id, which can also be easily retrieved from the server.
Obviously, the command will be executed as whatever user the session
belongs to, and im sure quite a few of us log onto the console as root.
Matt Harrigan
CIO, Microcosm Computer Resources
matth@mcr.com
415-333-1062