Re: allowing root to display to a user's X session

To: debian-user@lists.debian.org
Subject: Re: allowing root to display to a user's X session
From: "Karsten M. Self" <kmself@ix.netcom.com>
Date: Tue, 20 Nov 2001 02:53:06 -0800
Message-id: <[🔎] 20011120025305.G22200@navel.introspect>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] nhxk7wmcsy0.fsf@sadl12238.sandia.gov>; from glhenni@sandia.gov on Mon, Nov 19, 2001 at 03:11:03PM -0700
References: <[🔎] Pine.LNX.4.33.0111191318300.4495-100000@maurice.rprc.washington.edu> <[🔎] 873d3atpxw.fsf@sesquipedalian.wcomnet.com> <[🔎] nhxk7wmcsy0.fsf@sadl12238.sandia.gov>

on Mon, Nov 19, 2001 at 03:11:03PM -0700, Gary Hennigan (glhenni@sandia.gov) wrote:
> DvB <dvanbalen@jam.rr.com> writes:
> > David Wright <ichbin@shadlen.org> writes:
> > 
> > > When troubleshooting on RedHat, I often log in to a X session as a user,
> > > then su to root in an xterm and run ethereal (a packet-sniffer with GUI)
> > > to watch the network traffic that results from my actions as a user.
> > > 
> > > I would like to do this on Debian, but when I try to start ethereal, I get
> > > the error message:
> > >   Xlib: Client is not authorized to connect to Server
> > > Apparently root is not allowed to display to a user's X session. How can I
> > > allow this?
> > 
> > 
> > 'xhost +localhost' should fix the problem (this allows connections to
> > your x session from your local machine).
> 
> If you use this just make sure you're the only one on the machine, or
> that everyone that has an account on your machine is "trusted". It
> completely opens up your entire X session to anyone on
> "localhost". Nothing wrong with that, as long as you're aware that
> that is the case.
> 
> My preferred solution is to su to root and do:
> 
> export XAUTHORITY=~myusername/.Xauthority ;export DISPLAY=:0.0
> 
> I think there are still some security concerns even with this, but
> it's better than "xhost + localhost", as far as security goes anyway.
> 
> The other option is to get the "Magic Cookie" of your xsession. The
> sequence would be something like:
> 
> % xauth list
> junk/unix:0 MIT-MAGIC-COOKIE-1  a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7
> 192.168.1.1 MIT-MAGIC-COOKIE-1  a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7
> % su -
> Password:
> root% xauth add 192.168.1.1 MIT-MAGIC-COOKIE-1 a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7
> root% export DISPLAY=192.168.1.1:0
> 
> I think that's the best approach if you're up-tight about security. 

I'd pick a variant of your second which is IMO both easier and more
secure than allowing another user to specify root's Xauth file:

    $ xauth merge ~user/.Xauthority

...will give root all the cookies in a user's xauth database.

> Of course if you're really up-tight about security you wouldn't be
> using X at all! ;)

Y?

;^)


-- 
Karsten M. Self <kmself@ix.netcom.com>       http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?             Home of the brave
  http://gestalt-system.sourceforge.net/                   Land of the free
   Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org
Geek for Hire                     http://kmself.home.netcom.com/resume.html

Attachment: pgpM1Bq4nSwYs.pgp
Description: PGP signature

Reply to:

References:
- allowing root to display to a user's X session
  - From: David Wright <ichbin@shadlen.org>
- Re: allowing root to display to a user's X session
  - From: DvB <dvanbalen@jam.rr.com>
- Re: allowing root to display to a user's X session
  - From: "Gary Hennigan" <glhenni@sandia.gov>

Prev by Date: HDD clone
Next by Date: AW: HDD clone
Previous by thread: Re: allowing root to display to a user's X session
Next by thread: Re: allowing root to display to a user's X session
Index(es):
- Date
- Thread