KDM, XScreenSaver, Xhost, and security
I wanted to get XScreenSaver set up so it handles screen-saving when the
KDM (K Desktop Manager login screen) is being displayed. My question is
the security implications of my actions.
What I did:
* Created a user 'xss' - and then configured it as a disabled login (I
think - I put a * in the password field in the /etc/shadow file)
* Added the following to /etc/kde2/kdm/Xsetup:
xhost local:
su xss -c 'xscreensaver-command -exit'
su xss -c 'xscreensaver -no-splash -silent &'
which, as I understand it, allows non-network based connections to X,
then runs the xscreensaver commands as the user 'xss'
* Added the following to /etc/kde2/kdm/Xstartup
xhost -local:
killall xscreensaver
Which removes the previously allowed non-network-based connections to X,
and kills the previously running xscreensaver processes prior to
starting the user's Xsession.
This configuration works as I intend it to, but I am concerned with the
security issues involved.
Since I am running the xscreensaver command as a non-priveliged (and
login-disabled) user, I think that avoids any major problems from
running xscreensaver itself.
So, what kind of security problems does adding non-network local
connections to the access control list pose in this situation? (the KDM
login screen)
Thanks for any thoughts/opinions
-Troy
Reply to: