[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: allowing root to display to a user's X session



on Mon, Nov 19, 2001 at 03:11:03PM -0700, Gary Hennigan (glhenni@sandia.gov) wrote:
> DvB <dvanbalen@jam.rr.com> writes:
> > David Wright <ichbin@shadlen.org> writes:
> > 
> > > When troubleshooting on RedHat, I often log in to a X session as a user,
> > > then su to root in an xterm and run ethereal (a packet-sniffer with GUI)
> > > to watch the network traffic that results from my actions as a user.
> > > 
> > > I would like to do this on Debian, but when I try to start ethereal, I get
> > > the error message:
> > >   Xlib: Client is not authorized to connect to Server
> > > Apparently root is not allowed to display to a user's X session. How can I
> > > allow this?
> > 
> > 
> > 'xhost +localhost' should fix the problem (this allows connections to
> > your x session from your local machine).
> 
> If you use this just make sure you're the only one on the machine, or
> that everyone that has an account on your machine is "trusted". It
> completely opens up your entire X session to anyone on
> "localhost". Nothing wrong with that, as long as you're aware that
> that is the case.
> 
> My preferred solution is to su to root and do:
> 
> export XAUTHORITY=~myusername/.Xauthority ;export DISPLAY=:0.0
> 
> I think there are still some security concerns even with this, but
> it's better than "xhost + localhost", as far as security goes anyway.
> 
> The other option is to get the "Magic Cookie" of your xsession. The
> sequence would be something like:
> 
> % xauth list
> junk/unix:0 MIT-MAGIC-COOKIE-1  a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7
> 192.168.1.1 MIT-MAGIC-COOKIE-1  a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7
> % su -
> Password:
> root% xauth add 192.168.1.1 MIT-MAGIC-COOKIE-1 a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7
> root% export DISPLAY=192.168.1.1:0
> 
> I think that's the best approach if you're up-tight about security. 

I'd pick a variant of your second which is IMO both easier and more
secure than allowing another user to specify root's Xauth file:

    $ xauth merge ~user/.Xauthority

...will give root all the cookies in a user's xauth database.

> Of course if you're really up-tight about security you wouldn't be
> using X at all! ;)

Y?

;^)


-- 
Karsten M. Self <kmself@ix.netcom.com>       http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?             Home of the brave
  http://gestalt-system.sourceforge.net/                   Land of the free
   Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org
Geek for Hire                     http://kmself.home.netcom.com/resume.html

Attachment: pgpIp0SJV8Brr.pgp
Description: PGP signature


Reply to: