Re: More Admin Questions
> I installed the smail package and related files. How can I be sure
> this is being used and not sendmail? Also when I su to root from a
> user account and try to run an X program I get the following message:
> Xlib: Invalid MIT-MAGIC-COOKIE-1 key
> Initialization error: X server not responding
> : ":0.0"
> I am not sure what to do with this. TIA
Someone asked a similar question a few months ago. Here is my response
together with a correction/clarification of the problem/solution.
I hope this helps,
Tom Allard wrote:
> Kirk Hogenson wrote:
> > The problem is that "you" own the X session, "root" doesn't.
> > The easiest way to get this to work is to type
> > xhost + localhost
> > before you do your su. This means that you'll let anyone
> > from the host "localhost" (ie, your computer) connect to your
> > X.
> > However, I recall there were some security risks associated with
> > using xhost like this... maybe someone else will point them out.
> Ok, I will. If you do that, ANYONE on the hosts added can capture
> keys, dump your window, and virtually hijack your computer
> > If you aren't connected to a network (or just dial up occasionally
> > using, eg, ppp) then you should have no problems. (Using
> > "xhost + localhost" helps, lots of people just use "xhost +",
> > which allows *anyone* from *anywhere* access -- bad idea.)
> I really think there is no reason to *ever* do "xhost + anything".
> First, Tcl's "send" command will not operate if xhost security is
> allowed at all. That would break things like exmh which use send to
> talk to a background process. Tcl disables "send" when "xhost +" is
> used because it would otherwise allow simple control of *everything*
> (send combined with exec).
> While "send" is not a security issue when "xhost +" is used, you lose
> functionality, even if you never ever connect to any other computer.
> The other reason not to ever run "xhost +" is because there are better
> ways to share your X session. For root, it is extremely easy. For
> other users, it's a little more tricky:
> For root:
> root# XAUTHORITY=/home/your_id/.Xauthority
> root# DISPLAY=:0.0
> root# export XAUTHORITY DISPLAY
> "your_id" is the id of whoever ran "startx".
> For NON-root users:
> You can use "xauth" to extract the key from one user and to add the
> key to the other. The tricky part is in keeping it secure in the
> meantime. Encrypting with pgp is one possibility.
> To extract a key:
> user1% xauth extract my_key $DISPLAY
> The file my_key has your key in it (xauth SHOULD create it with user
> rw permissions only). Do whatever you need to to securely transfer it
> to the other user, and then have that user run:
> user2% xauth merge my_key
> user2% DISPLAY=:0.0
> user2% export DISPLAY
> Note that user2 now has complete control to your X session until you
> end it and start a new one (at which time a new key will be
> generated). If user1 is running any Tcl application which has send
> enabled (default), user2 can tell that Tcl application to exec
> arbitrary commands and return the results to user2. There is also
> nothing prohibiting user2 from giving the key to user3! You wouldn't
> want to do this to someone you didn't trust.
> As far as I know, you can't change the xauth key during a session.
> Still, this is far better than giving unlimited users access to your X
> Finally, your keys are stored in ~/.Xauthority, so make sure you don't
> give global access to it.
> rgds-- TA (firstname.lastname@example.org)
> I don't speak for the Federal Reserve Board, it doesn't speak for me.