Re: X authentication and su (Re: changing framebuffer device owner during login)

To: Development of Debian <debian-devel@lists.debian.org>
Subject: Re: X authentication and su (Re: changing framebuffer device owner during login)
From: Matt Zimmerman <mdz@debian.org>
Date: Mon, 18 Jun 2001 21:58:02 -0400
Message-id: <[🔎] 20010618215801.A30036@alcor.net>
Mail-followup-to: Development of Debian <debian-devel@lists.debian.org>
In-reply-to: <[🔎] 20010619021153.E18724@topaz.mdcc.cx>
References: <[🔎] 20010619021153.E18724@topaz.mdcc.cx>

On Tue, Jun 19, 2001 at 02:11:53AM +0200, Joost Kooij wrote:

> On Sun, Jun 17, 2001 at 02:27:41PM -0400, Matt Zimmerman wrote:
> > Instead, add a line like this:
> > 
> > export XAUTHORITY=~/.Xauthority
> > 
> > To your shell initialization file.  As long as you su without the '-'
> > argument, this variable will be preserved, and X clients will be able to
> > authenticate to your display.
> 
> AFAIK, using su without the '-' is bad style.  Your $TMPDIR will be laced
> with root-owned files.  The lights dim when you run vipw, because $EDITOR is
> set to /usr/bin/X11/gnome-xemacs-with-kitchen-and-restaurant-mule-i18n.
> 
> Worst of all, you will no longer be able to run traceroute, even as root
> (even with the suid bit on!), because /usr/sbin isn't in luser's default
> $PATH... Mwwuuuhahaha!

*shrug*.  My $TMPDIR gets reaped on a regular basis, my $EDITOR is vim, and
/usr/sbin is in mdz's PATH.  YMMV.

> Also, reusing the XAUTHORITY environment variable doesn't work generally for
> all users that one would like to su to.  It works for root because root can
> read anyone's files, even when said files are mode 600 ( as .Xauthority is
> supposed to be.)

In addition to being the most common case, su'ing to root was the situation
being discussed.  I rarely have a need to run X programs as root and let them
connect to my X display, but I even more rarely need to do the same as any
other user (in fact, doing so could represent a security risk).

> You might as well:
> 
> luser> $ su - password: root> # export DISPLAY=:0 root> # export
> XAUTHORITY=~luser/.Xauthority root> # /sbin/netscape &  # just kidding, tee
> hee hee
> 
> It Works For Me.

Yes, I often do it that way as well, especially on systems where doing a plain
'su' doesn't set $HOME (blecch).

> The portable solution that works for su'ing to other users as well is to use
> the proper interface, xauth, directly.
> 
> luser> xauth list [lines with stuff, copy the "unix" one for your local
> display] luser> su - paranoid password: paranoid> export DISPLAY=:0 paranoid>
> xauth add [now paste that line you just copied here] paranoid>
> /usr/bin/X11/untrusted-binary &

Don't forget 'xauth remove' at the end.  Though you may as well just log out of
your X session to get a new cookie, since 'luser' created a cron job which runs
cp ~/.Xauthority to ~/mail/harharhar once a minute and is probably recording
your keystrokes already...

And if untrusted-binary really is untrusted, you haven't protected yourself
very much by running it as another user, since it has full access to your X
display.

-- 
 - mdz

Reply to:

References:
- Re: X authentication and su (Re: changing framebuffer device owner during login)
  - From: joost@topaz.mdcc.cx (Joost Kooij)

Prev by Date: Re: ITP ptolemy?
Next by Date: Re: Intent to Rewrite: pwgen
Previous by thread: Re: X authentication and su (Re: changing framebuffer device owner during login)
Next by thread: Re: X authentication and su (Re: changing framebuffer device owner during login)
Index(es):
- Date
- Thread