Re: X authentication and su (Re: changing framebuffer device owner during login)
[Please cc me, I just unsubscribed from debian-devel.]
On Mon, Jun 25, 2001 at 12:35:58AM -0700, Francois Gouget wrote:
|| On Thu, 21 Jun 2001, Vincent Zweije wrote:
||
|| > On Wed, Jun 20, 2001 at 02:59:56PM -0700, Francois Gouget wrote:
|| [...]
|| > || It would be sweet to have something that does all this
|| > || automatically. 'su -X - foo' for instance, kind of like 'ssh -X -l
|| > || foo hostname' but without the encryption and forwarding overhead...
|| >
|| > I think the Remote X Apps mini-HOWTO describes just the script you need.
||
|| Thanks very much for the tip. I looked at
|| /usr/share/doc/HOWTO/en-txt/mini/Remote-X-Apps.txt.gz and found a script
|| from which I derived the one below (just in case it can be of some use).
|| But I'm still having a problem. On my laptop xauth list gives me two
|| cookies:
|| $ xauth list "$DISPLAY"
|| oleron/unix:0 MIT-MAGIC-COOKIE-1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|| oleron/unix:0 XDM-AUTHORIZATION-1 yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
||
|| xauth add is not happy when it gets both.
Hmm. I'd think xauth should be able to add both. I definitely have to
read up on XDM-AUTHORIZATION-1 somehow.
|| It looks like I need to
|| transfer the XDM-AUTHORIZATION-1 authorization one. But I assume that if
|| I'm not using xdm things will be different. Should I systematically
|| transfer both? Does anyone have a good insight into this? Otherwise I'll
|| go a dig through this tomorrow.
Myself, I'm not sure, but I suspect the X server will only use one
of the two authorization records. If you're using xdm, it's probably
XDM-AUTHORIZATION-1, otherwise MIT-MAGIC-COOKIE-1. But it's just my
educated guess.
|| Is there any interest in getting such an 'xsu' script in the standard
|| Debian distribution? Maybe in xbase-clients? If so I could probably
|| polish the script below some more and even write a man page (otherwise
|| I'll keep it in my /usr/local/bin).
It would be cool to distribute such a thing, but then I'd suggest three
modifications:
[1] Translate into C, or some other language with more control to fix
the next point:
[2] Fix the quoting problem mentioned in the mini-howto.
[3] Use xauth generate to generate a new cookie if possible, and transfer
that to the other account. This enables revoking access rights for
the cookie.
|| --- cut here ---
[snip]
|| exec su $su_opts -c "xauth add `xauth list \"$DISPLAY\"`; \
|| exec env DISPLAY='$DISPLAY' "'"$SHELL"'" -c '$*'"
|| --- cut here ---
Aha.
You can transfer both cookies if you feed them to the su command through
a pipe. Something like "xauth list $DISPLAY | sed -e 's/^/add /' |
xauth -q", only with a su somewhere in between and some file descriptor
juggling.
An extra disadvantage of the backquotes is that the cookie can be spotted
on the command line when xauth runs. This may not be a problem on linux,
but it is on some other unices. Don't use backticks if you're going to
distribute it as a package, it's not secure enough.
On Mon, Jun 25, 2001 at 10:19:15AM +0200, Wouter Verhelst wrote:
|| On Mon, 25 Jun 2001, Francois Gouget wrote:
|| > Is there any interest in getting such an 'xsu' script in the standard
|| > Debian distribution?
||
|| I think that would be a good idea.
||
|| I'd call it "sux", though ;-)
Funny as that may be, I think I still prefer xsu. Or su -x, as an
extension to the su command, maybe. On second thought, don't extend su.
It's a suid-root program, and should have as few features as possible.
Ciao. Vincent.
Reply to: