Re: X authentication and su (Re: changing framebuffer device owner during login)
I did some more research about all this. First I checked whether
there was already an xsu tool. The only one I found is at
http://xsu.freax.eu.org/. But it's not meant to be used on the command
line or to start a shell.
Then I searched for XDM-AUTHORIZATION-1 and found at
http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html that it is a
more secure method than MIT-AUTHORIZATION-1: the cookie is exchanged in
encrypted form (there's also another: SUN-DES-1, but not on Linux I
guess).
Also, on my machine I have both MIT and XDM cookies except that the
MIT cookie seems useless: if I remove the XDM cookie I can no longer
start xeyes!
It was suggested that I generate an untrusted cookie. So I played
with xauth generate but there's two problems: I can only replace an
existing cookie (so maybe I should run it after the su?) And I can only
generate an MIT cookie, and these are not accepted anyway...
Finally, regarding the '$*' issue, ... I don't really plan to execute
command using xsu, just do 'xsu - foo' so this is not a major issue for
me. Besides I would rather do this in perl than in C although it would
introduce new dependencies... So I'll stick with a simple shell script
for now.
As before, suggestions, comments are welcome...
--
Francois Gouget fgouget@free.fr http://fgouget.free.fr/
Cahn's Axiom: When all else fails, read the instructions.
Reply to: