Re: allowing root to display to a user's X session
"Karsten M. Self" <kmself@ix.netcom.com> writes:
> on Mon, Nov 19, 2001 at 03:11:03PM -0700, Gary Hennigan
> (glhenni@sandia.gov) wrote:
> > My preferred solution is to su to root and do:
> >
> > export XAUTHORITY=~myusername/.Xauthority ;export DISPLAY=:0.0
> >
> > I think there are still some security concerns even with this, but
> > it's better than "xhost + localhost", as far as security goes anyway.
> >
> > The other option is to get the "Magic Cookie" of your xsession. The
> > sequence would be something like:
> >
> > % xauth list
> > junk/unix:0 MIT-MAGIC-COOKIE-1 a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7
> > 192.168.1.1 MIT-MAGIC-COOKIE-1 a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7
> > % su -
> > Password:
> > root% xauth add 192.168.1.1 MIT-MAGIC-COOKIE-1
> a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7
> > root% export DISPLAY=192.168.1.1:0
> >
> > I think that's the best approach if you're up-tight about security.
>
> I'd pick a variant of your second which is IMO both easier and more
> secure than allowing another user to specify root's Xauth file:
>
> $ xauth merge ~user/.Xauthority
>
> ...will give root all the cookies in a user's xauth database.
>
> > Of course if you're really up-tight about security you wouldn't be
> > using X at all! ;)
>
> Y?
Because it's easy to "do the wrong thing" with X and allow "bad
things" to happen. For example, the aforementioned
"xhost + localhost". Plus, this isn't under the control of the
sysadmin. A user can log in and do an "xhost +" and some unfriendly
user can effectively get into that account and do bad things.
Gary
Reply to: