[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: More Admin Questions

> I installed the smail package and related files. How can I be sure
> this is being used and not sendmail? Also when I su to root from a
> user account and try to run an X program I get the following message:
> Xlib: Invalid MIT-MAGIC-COOKIE-1 key
> Initialization error: X server not responding
> : ":0.0"
> I am not sure what to do with this. TIA

Someone asked a similar question a few months ago.  Here is my response
together with a correction/clarification of the problem/solution.

I hope this helps,


----Forwarded Message:----

Tom Allard wrote:
> Kirk Hogenson wrote:
> > The problem is that "you" own the X session, "root" doesn't.
> > 
> > The easiest way to get this to work is to type
> > 
> >    xhost + localhost
> > 
> > before you do your su.  This means that you'll let anyone
> > from the host "localhost" (ie, your computer) connect to your
> > X.
> > 
> > However, I recall there were some security risks associated with
> > using xhost like this... maybe someone else will point them out.
> Ok, I will.  If you do that, ANYONE on the hosts added can capture 
> keys,  dump your window, and virtually hijack your computer 
> completely.
> > If you aren't connected to a network (or just dial up occasionally
> > using, eg, ppp) then you should have no problems.  (Using
> > "xhost + localhost" helps, lots of people just use "xhost +",
> > which allows *anyone* from *anywhere* access -- bad idea.)
> I really think there is no reason to *ever* do "xhost + anything".
> First, Tcl's "send" command will not operate if xhost security is
> allowed at all.  That would break things like exmh which use send to
> talk to a background process.  Tcl disables "send" when "xhost +" is
> used because it would otherwise allow simple control of *everything*
> (send combined with exec).
> While "send" is not a security issue when "xhost +" is used, you lose
> functionality, even if you never ever connect to any other computer.
> The other reason not to ever run "xhost +" is because there are better
> ways to share your X session.  For root, it is extremely easy.  For
> other users, it's a little more tricky:
> For root:
> root# XAUTHORITY=/home/your_id/.Xauthority
> root# DISPLAY=:0.0
> "your_id" is the id of whoever ran "startx".
> For NON-root users:
> You can use "xauth" to extract the key from one user and to add the 
> key to the other.  The tricky part is in keeping it secure in the 
> meantime.  Encrypting with pgp is one possibility.
> To extract a key:
> user1% xauth extract my_key $DISPLAY
> The file my_key has your key in it (xauth SHOULD create it with user 
> rw permissions only).  Do whatever you need to to securely transfer it 
> to the other user, and then have that user run:
> user2% xauth merge my_key
> user2% DISPLAY=:0.0
> user2% export DISPLAY
> Note that user2 now has complete control to your X session until you 
> end it and start a new one (at which time a new key will be 
> generated).  If user1 is running any Tcl application which has send 
> enabled (default), user2 can tell that Tcl application to exec 
> arbitrary commands and return the results to user2.  There is also 
> nothing prohibiting user2 from giving the key to user3!  You wouldn't 
> want to do this to someone you didn't trust.
> As far as I know, you can't change the xauth key during a session.
> Still, this is far better than giving unlimited users access to your X
> session.
> Finally, your keys are stored in ~/.Xauthority, so make sure you don't
> give global access to it.
> rgds-- TA  (tallard@frb.gov)
> I don't speak for the Federal Reserve Board, it doesn't speak for me.

Reply to: