Re: The best recommendation for allowing "su" in X
On Sun, 7 Jul 2002, Osamu Aoki wrote:
> Here is the back ground. FAQ is:
>
> "I want to run X from a user account. It is a good thing. But how can
> I get a program which requires root privilege to run from this X
> session?"
>
> Answer is simple and I know this:)
>
> "export XAUTHORITY=$HOME/.Xauthority"
I like it better to run "xauth merge ~<USER_RUNNING_X>/.Xauthority" once
after "su -"ing this will import the users keys into root's .Xauthority.
On some machines I have put the following in /etc/sudoers:
Cmnd_Alias ROOTXTERM=/usr/X11R6/bin/xauth -f /root/.Xauthority merge *,
/usr/bin/aterm -[Tnlbtd]*, /usr/X11R6/bin/xterm -[Tnlbtd]*
Host_Alias LOCALHOST
<USER> LOCALHOST=ROOTXTERM
This allows me to run the following commands from a script I called
rootxterm:
#! /bin/bash
#
# Ask for the users password
xterm -T 'Root Login:' -e /usr/bin/sudo -p 'Password for \%u\@\%h:' -H \
xauth -f ~root/.Xauthority merge $XAUTH"
#
# Start an xterm as root
/usr/bin/sudo -H -b xterm -bg Mistyrose -T Root@`hostname -f` -n Root -ls "$@"
The Cmnd_Alias doesn't allow to abuse the initial xterm call for running
arbitrary commands using the -e switch. You must start the xterm first
and then you can enter the commands you like. The Host_Alias restricts
the ability to start the xterm to the localhost only.
Obviously this is still a security hole, albeit a small one, because
you need an ordinary users password to become root, but only if you
have physical access to the machine.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: