Re: Magic cookies and running programs under X as root

To: debian-user@lists.debian.org
Subject: Re: Magic cookies and running programs under X as root
From: kmself@ix.netcom.com
Date: Tue, 30 Jan 2001 13:31:52 -0800
Message-id: <[🔎] 20010130133152.B21575@ix.netcom.com>
In-reply-to: <[🔎] nhxofwqx8xx.fsf@sasg955.sandia.gov>; from glhenni@sandia.gov on Mon, Jan 29, 2001 at 03:58:02PM -0700
References: <vM_vTC.A.T1B.9Ued6@murphy> <[🔎] nhxofwqx8xx.fsf@sasg955.sandia.gov>

on Mon, Jan 29, 2001 at 03:58:02PM -0700, Gary Hennigan (glhenni@sandia.gov) wrote:
> kmself@ix.netcom.com writes:
> > on Sun, Jan 28, 2001 at 02:12:44AM -0800, Terry Carney
> > (tcarney@selterra.com) wrote:
> > > On Sat, 27 Jan 2001, Christopher R. Barry wrote:
> > >
> > > >   Xlib: connection to ":0.0" refused by server
> > > >   Xlib: Client is not authorized to connect to Server
> > > >   Error: Can't open display: :0.0
> > > >
> > > > I guess tonight I finally want to get around to figuring out how to
> > stop this
> > > > from happening. What do I do so I can run programs as root?
> > >
> > > The following works for me. All on one line in case of wordwrap.
> > >
> > > XAUTHORITY=/home/username/.Xauthority;DISPLAY=:0.0;export XAUTHORITY
> > DISPLAY
> >
> > *Don't* do this.
> >
> > You're now allowing access to root's X display via an unprivileged
> > user's file.  If that file is compromised, root's X access is
> > compromised.  This includes changing the value of the cookie in the
> > file.
> >
> > Better to merge against a user's file.  This allows you to match the
> > present state of the file, but prevent future values from being applied
> > to root's X authorization keys.  Puts root in stronger control.
> 
> I guess I don't understand the difference. If the user's ~/.Xauthority
> file is compromised, and that user owns the X session, all bets are
> off. Anything opened as root, and displayed in the user-owned X
> session, is up for grabs. 

Yes, but:  root can revoke the cookie.  If you point to, or worse, link
to, a user file, root no longer has immediate control over its own X
session and cookie values.

I need to research how Xauthority works, I believe it's not as wide open
as I seem to fear.  I still don't think it's a good practice, and might
lead to problems with, say, multiple users as root at the same time --
not unlikely in a shared system with shared root access, whether via
password or sudo.  Points about security as compromise taken.

-- 
Karsten M. Self <kmself@ix.netcom.com>    http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?       There is no K5 cabal
  http://gestalt-system.sourceforge.net/         http://www.kuro5hin.org

Attachment: pgpG1bLmvwXis.pgp
Description: PGP signature

Reply to:

References:
- Re: Magic cookies and running programs under X as root
  - From: "Gary Hennigan" <glhenni@sandia.gov>

Prev by Date: Re: Bash Scripting
Next by Date: RE: Bash Scripting
Previous by thread: Re: Magic cookies and running programs under X as root
Next by thread: realplayer on debian 2.2
Index(es):
- Date
- Thread