Re: Unidentified subject!
Will Lowe wrote:
> On Tue, 7 Jul 1998 ej@pitnet.net wrote:
>
> > Unless explicitly told to do so using xhost, X does not allow anybody
> > other than the person who started it to open windows on its desktop,
> > not even root. I could never figure out the proper syntax for xhost,
> > however, so I usually end up just using 'xhost +' which disables all
> > access control and then 'xhost -' when I'm done.
>
> That's pretty insecure. I've seen instances where people on our campus
> (admittedly, a large one with relatively insecure systems anyway) have
> had other people connect to their X displays because they'd done the
> "xhost +" bit. Generally more a nuisance than a real security concern,
> but still... "xhost + locahost" is only marginally more secure ... with
> that one, just anyone on the x machine can connect ... so on a system
> which distributes campus email, that's a few thousand people here...
>
> Go for "sudo".
Actually, it's potentially much more than a nuisance. An X client can capture all your
keystrokes. You do the math.
To just allow root to run an X app when you logged in as someone other than root do:
chilin$ su
Password:
chilin# export XAUTHORITY=$(echo /var/lib/xdm/authdir/authfiles/*)
This way you can log access the server using the xauth data which only you and root
have access to. Neato.
Try it!
--
Jens B. Jorgensen
jjorgens@bdsinc.com
--
Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
Reply to: