Re: user not authorized to run X, strange variant

To: Erik Steffl <steffl@bigfoot.com>
Cc: debian-user <debian-user@lists.debian.org>
Subject: Re: user not authorized to run X, strange variant
From: "David Zoll" <dzoll@nyscul.org>
Date: Wed, 13 Dec 2000 10:30:52 -0500
Message-id: <[🔎] 3A37962C.6A31C124@nyscul.org>
References: <[🔎] 3A35FF47.2D440463@bigfoot.com> <[🔎] 20001212144559.B11318@decoy.ath.cx> <[🔎] 3A36616C.1B4DF176@bigfoot.com> <[🔎] 20001212185258.A984@decoy.ath.cx> <[🔎] 3A367E06.E81BAC35@bigfoot.com> <[🔎] 20001212221903.B3063@decoy.ath.cx> <[🔎] 3A36A94F.13BB9727@bigfoot.com>

Erik Steffl wrote:
> 
> sena wrote:
> >
> > On 12/12/2000 at 11:35 -0800, Erik Steffl wrote:
> > >   my point was that these options do not help in what I think is by far
> > > most common situation. then again, I have no lies neither statistics to
> > > support this:-)
> > >
> > >   I mean the most common situations should be solved first, then special
> > > cases. maybe I'm missing something but I can't find any docs on this...
> > >
> > I think the most _appropriate_ approach is to make things secure above all.
> > That must be why X comes rootonly by default until someone changes it. Nice.
> 
>   that's the problem. the default is secure but the most typical (my
> assessment) setup cannot be made secure as you have to let anybody run
> X. what's the use of security measure that has to be disabled in most
> cases?

The most typical (by my assessment) setup is where X is run via *dm. 
The "allowed_users=rootonly" option works fine for that (I've only
tested it under gdm, but xdm and kdm should work the same).  This is the
default.

The most typical power-user's setup is where X is run via startx.  The
"allowed_users=console" option works fine for that.  These are power
users, so changing the default should be no problem for them.

I can't think of ANY setups where "allowed_users=console" gives
insufficient access to the X server; just in case, there's an
"allowed_users=anyone" option.  I, for one, don't want anybody running X
unless they're sitting in front of the box.

Earlier in the thread, Erik Steffl also wrote:
> I mean what's the point of having these options when basically only
> 'anybody' is usable? I mean you dont' want to run X as root, that does
> not make sense and if you run X most of the time (fairly common,
> probably most common situation for machines whe X is installed) then it
> makes sense to use xdm (or other *dm).

X, by which I mean the program /usr/bin/X11/X is ALWAYS run as root.  In
fact it is setuid root to make sure of this.  This is because it needs
access to privileged hardware (and possible privileged ports too, I
don't remember for sure).

If you run gdm, X is even run BY root, since gdm is running as root.  I
assume the other *dm's are the same in this respect.  This is why
"allowed_users=rootonly" works in this case.

Best of Luck,
-Gleef

Reply to:

References:
- user not authorized to run X, strange variant
  - From: Erik Steffl <steffl@bigfoot.com>
- Re: user not authorized to run X, strange variant
  - From: sena <sena@decoy.ath.cx>
- Re: user not authorized to run X, strange variant
  - From: Erik Steffl <steffl@bigfoot.com>
- Re: user not authorized to run X, strange variant
  - From: sena <sena@decoy.ath.cx>
- Re: user not authorized to run X, strange variant
  - From: Erik Steffl <steffl@bigfoot.com>
- Re: user not authorized to run X, strange variant
  - From: sena <sena@decoy.ath.cx>
- Re: user not authorized to run X, strange variant
  - From: Erik Steffl <steffl@bigfoot.com>

Prev by Date: Re: Signal 11 when using 'ps'
Next by Date: howto monitoring interface?
Previous by thread: Re: user not authorized to run X, strange variant
Next by thread: installing aviplay
Index(es):
- Date
- Thread