Re: X authentication and su (Re: changing framebuffer device owner during login)
On Tue, Jun 19, 2001 at 02:11:53AM +0200, Joost Kooij wrote:
> On Sun, Jun 17, 2001 at 02:27:41PM -0400, Matt Zimmerman wrote:
> > Instead, add a line like this:
> >
> > export XAUTHORITY=~/.Xauthority
> >
> > To your shell initialization file. As long as you su without the '-'
> > argument, this variable will be preserved, and X clients will be able to
> > authenticate to your display.
>
> AFAIK, using su without the '-' is bad style. Your $TMPDIR will be laced
> with root-owned files. The lights dim when you run vipw, because $EDITOR is
> set to /usr/bin/X11/gnome-xemacs-with-kitchen-and-restaurant-mule-i18n.
>
> Worst of all, you will no longer be able to run traceroute, even as root
> (even with the suid bit on!), because /usr/sbin isn't in luser's default
> $PATH... Mwwuuuhahaha!
*shrug*. My $TMPDIR gets reaped on a regular basis, my $EDITOR is vim, and
/usr/sbin is in mdz's PATH. YMMV.
> Also, reusing the XAUTHORITY environment variable doesn't work generally for
> all users that one would like to su to. It works for root because root can
> read anyone's files, even when said files are mode 600 ( as .Xauthority is
> supposed to be.)
In addition to being the most common case, su'ing to root was the situation
being discussed. I rarely have a need to run X programs as root and let them
connect to my X display, but I even more rarely need to do the same as any
other user (in fact, doing so could represent a security risk).
> You might as well:
>
> luser> $ su - password: root> # export DISPLAY=:0 root> # export
> XAUTHORITY=~luser/.Xauthority root> # /sbin/netscape & # just kidding, tee
> hee hee
>
> It Works For Me.
Yes, I often do it that way as well, especially on systems where doing a plain
'su' doesn't set $HOME (blecch).
> The portable solution that works for su'ing to other users as well is to use
> the proper interface, xauth, directly.
>
> luser> xauth list [lines with stuff, copy the "unix" one for your local
> display] luser> su - paranoid password: paranoid> export DISPLAY=:0 paranoid>
> xauth add [now paste that line you just copied here] paranoid>
> /usr/bin/X11/untrusted-binary &
Don't forget 'xauth remove' at the end. Though you may as well just log out of
your X session to get a new cookie, since 'luser' created a cron job which runs
cp ~/.Xauthority to ~/mail/harharhar once a minute and is probably recording
your keystrokes already...
And if untrusted-binary really is untrusted, you haven't protected yourself
very much by running it as another user, since it has full access to your X
display.
--
- mdz
Reply to: