X Myths 129 Myth: X Makes Unix “Easy to Use” Graphical interfaces can only paper over misdesigns and kludges in the underlying operating system they can’t eliminate them. The “drag-and-drop” metaphor tries to cover up the Unix file system, but so little of Unix is designed for the desktop metaphor that it’s just one kludge on top of another, with little holes and sharp edges popping up everywhere. Maybe the “sag-and-drop” metaphor is more appropriate for such ineffective and unreliable performance. A shining example is Sun’s Open Windows File Manager, which goes out of its way to display core dump files as cute little red bomb icons. When you double-click on the bomb, it runs a text editor on the core dump. Harmless, but not very useful. But if you intuitively drag and drop the bomb on the DBX Debugger Tool, it does exactly what you’d expect if you were a terrorist: it ties the entire system up, as the core dump (including a huge unmapped gap of zeros) is pumped through the server and into the debugger text window, which inflates to the maximum capacity of swap space, then violently explodes, dumping an even bigger core file in place of your original one, filling up the file system, overwhelming the file server, and taking out the File Manager with shrapnel. (This bug has since been fixed.) But that’s not all: the File Manager puts even more power at your fingertips if you run it as root! When you drag and drop a directory onto itself, it beeps and prints “rename: invalid argument” at the bottom of the window, then instantly deletes the entire directory tree without bothering to update the graphical directory browser. The following message illustrates the X approach to “security through obscurity”: Date: Wed, 30 Jan 91 15:35:46 -0800 From: David Chapman zvona@gang-of-four.stanford.edu To: UNIX-HATERS Subject: MIT-MAGIC-COOKIE-1 For the first time today I tried to use X for the purpose for which it was intended, namely cross-network display. So I got a telnet win- dow from boris, where I was logged in and running X, to akbar, where my program runs. Ran the program and it dumped core. Oh. No doubt there’s some magic I have to do to turn cross-network X on. That’s stupid. OK, ask the unix wizard. You say setenv DIS-
130 The X-Windows Disaster PLAY boris:0. Presumably this means that X is too stupid to figure out where you are coming from, or Unix is too stupid to tell it. Well, that’s Unix for you. (Better not speculate about what the 0 is for.) Run the program again. Now it tells me that the server is not autho- rized to talk to the client. Talk to the unix wizard again. Oh, yes, you have to run xauth, to tell it that it’s OK for boris to talk to akbar. This is done on a per-user basis for some reason. I give this 10 seconds of thought: what sort of security violation is this going to help with? Can’t come up with any model. Oh, well, just run xauth and don’t worry about it. xauth has a command processor and wants to have a long talk with you. It manipulates a .Xauthority file, apparently. OK, presumably we want to add an entry for boris. Do: xauth help add add dpyname protoname hexkey add entry Well, that’s not very helpful. Presumably dpy is unix for “display” and protoname must be… uh… right, protocol name. What the hell protocol am I supposed to use? Why should I have to know? Well, maybe it will default sensibly. Since we set the DISPLAY variable to “boris:0,” maybe that’s a dpyname. xauth add boris:0 xauth: (stdin):4 bad "add" command line Great. I suppose I’ll need to know what a hexkey is, too. I thought that was the tool I used for locking the strings into the Floyd Rose on my guitar. Oh, well, let’s look at the man page. I won’t include the whole man page here you might want to man xauth yourself, for a good joke. Here’s the explanation of the add command: add displayname protocolname hexkey An authorization entry for the indicated display using the given protocol and key data is added to the authorization file. The data is specified as an even-length string of hexadecimal digits, each pair representing one octet. The first digit gives the most significant 4 bits of the octet and the second digit gives the least significant 4 bits. A protocol name consisting of just a single period is treated as an abbreviation for MIT-MAGIC-COOKIE-1. This is obviously totally out of control. In order to run a program across the goddamn network I’m supposed to be typing in strings of hexadecimal digits which do god knows what using a program that