Re: More Admin Questions
> I installed the smail package and related files. How can I be sure
> this is being used and not sendmail? Also when I su to root from a
> user account and try to run an X program I get the following message:
>
> Xlib: Invalid MIT-MAGIC-COOKIE-1 key
>
> Initialization error: X server not responding
> : ":0.0"
>
> I am not sure what to do with this. TIA
Someone asked a similar question a few months ago. Here is my response
together with a correction/clarification of the problem/solution.
I hope this helps,
Kirk
----Forwarded Message:----
Tom Allard wrote:
>
> Kirk Hogenson wrote:
>
> > The problem is that "you" own the X session, "root" doesn't.
> >
> > The easiest way to get this to work is to type
> >
> > xhost + localhost
> >
> > before you do your su. This means that you'll let anyone
> > from the host "localhost" (ie, your computer) connect to your
> > X.
> >
> > However, I recall there were some security risks associated with
> > using xhost like this... maybe someone else will point them out.
>
> Ok, I will. If you do that, ANYONE on the hosts added can capture
> keys, dump your window, and virtually hijack your computer
> completely.
>
> > If you aren't connected to a network (or just dial up occasionally
> > using, eg, ppp) then you should have no problems. (Using
> > "xhost + localhost" helps, lots of people just use "xhost +",
> > which allows *anyone* from *anywhere* access -- bad idea.)
>
> I really think there is no reason to *ever* do "xhost + anything".
>
> First, Tcl's "send" command will not operate if xhost security is
> allowed at all. That would break things like exmh which use send to
> talk to a background process. Tcl disables "send" when "xhost +" is
> used because it would otherwise allow simple control of *everything*
> (send combined with exec).
>
> While "send" is not a security issue when "xhost +" is used, you lose
> functionality, even if you never ever connect to any other computer.
>
> The other reason not to ever run "xhost +" is because there are better
> ways to share your X session. For root, it is extremely easy. For
> other users, it's a little more tricky:
>
> For root:
>
> root# XAUTHORITY=/home/your_id/.Xauthority
> root# DISPLAY=:0.0
> root# export XAUTHORITY DISPLAY
>
> "your_id" is the id of whoever ran "startx".
>
> For NON-root users:
>
> You can use "xauth" to extract the key from one user and to add the
> key to the other. The tricky part is in keeping it secure in the
> meantime. Encrypting with pgp is one possibility.
>
> To extract a key:
>
> user1% xauth extract my_key $DISPLAY
>
> The file my_key has your key in it (xauth SHOULD create it with user
> rw permissions only). Do whatever you need to to securely transfer it
> to the other user, and then have that user run:
>
> user2% xauth merge my_key
> user2% DISPLAY=:0.0
> user2% export DISPLAY
>
> Note that user2 now has complete control to your X session until you
> end it and start a new one (at which time a new key will be
> generated). If user1 is running any Tcl application which has send
> enabled (default), user2 can tell that Tcl application to exec
> arbitrary commands and return the results to user2. There is also
> nothing prohibiting user2 from giving the key to user3! You wouldn't
> want to do this to someone you didn't trust.
>
> As far as I know, you can't change the xauth key during a session.
> Still, this is far better than giving unlimited users access to your X
> session.
>
> Finally, your keys are stored in ~/.Xauthority, so make sure you don't
> give global access to it.
>
> rgds-- TA (tallard@frb.gov)
> I don't speak for the Federal Reserve Board, it doesn't speak for me.
>
Reply to: