Re: X authentication and su (Re: changing framebuffer device owner during login)
On Sat, Jun 30, 2001 at 05:06:12PM -0700, Francois Gouget wrote:
> On Sun, 1 Jul 2001, Herbert Xu wrote:
>
> > Matt Zimmerman <mdz@debian.org> wrote:
> >
> > > introduce a dependency on X by using the library routines. Does anyone
> > > know how to gen xauth to cooperate, or am I stuck using a temporary file?
> >
> > Would /dev/stdout work?
>
> It does not work: xauth tries to lock /dev/stdout and fails:
>
> $ xauth -f /dev/stdout generate $DISPLAY . untrusted timeout 10 xauth:
> timeout in locking authority file /dev/stdout
Yes, I tried this.
> The problem is xauth expects this file to be in the .Xauthority format and
> thus I guess it tries to lock it, read it and rewrite it to add the new
> cookie. Maybe the intention was that user X would directly add the cookie
> to uer Y's .Xauthority file but of course it cannot work because of the
> access right issues. Even if X were root it would no work because roout
> would end up owning Y's file.
I think the intention is to store the cookie in a file, which could then be
shipped around by other means. Unfortunately, writing it to the user's current
~/.Xauthority will cause the trusted cookie to be overwritten, as it seems
unable (or unwilling) to hold multiple cookies for a given display. Even if
that worked, I don't think xauth generate outputs enough information to allow
an application to fetch the right cookie once it is written.
> What's needed is for xauth to output the generated cookie in
> extract/nextract or list mode. Then it makes sense to send it to stdout.
> But how would you choose the output format, I'm not sure. Or maybe '-f'
> should mean read from stdin and write to stdout. Then you would do:
Yes, that is what I would like it to do. As for the output format, I would
settle for binary, but the whole nextract/extract nlist/list nmerge/merge
mechanism should be replaced with a -format flag or some such.
I guess I'll have to add an autoconf test for mkstemp (tmpfile won't work here,
obviously) and use a temporary file. Blecch.
--
- mdz
Reply to: