Re: X security (was: Root login)

To: debian-user@lists.debian.org
Subject: Re: X security (was: Root login)
From: Mark Roach <mrroach@okmaybe.com>
Date: 21 Mar 2003 10:05:16 -0500
Message-id: <[🔎] 1048259116.18777.49.camel@flmrroach>
In-reply-to: <[🔎] E18vdT8-0000Pi-00@fskdjvdw.puk.ac.za>
References: <[🔎] E18vdT8-0000Pi-00@fskdjvdw.puk.ac.za>

On Wed, 2003-03-19 at 08:18, Johan van der Walt wrote:
> I just now installed Woody and did a simple installation using only tasksel.
> So Gnome is the display manager. However, it does not allow me to login as 
> root. I need to install OpenOffice and to do that I have to login as root
> but not from the console. 
> 
> How can I get past this problem?

Hi, Johan. As others have pointed out, starting an entire X session as
root is probably not the best way to go. There are a number of ways
listed in the other replies that will work, but I thought I would take
just a minute to explain X security as I understand it.

There are a couple of ways that root (or any other users) can connect to
someone else's X session.

1. that user has the "magic cookie" that the server requires

The file ~/.Xauthority contains a key that will grant access to the X
server. If root or anyone else is able to read that file, they can
connect by doing 

    XAUTHORITY=/home/user/.Xauthority X_program_to_run

(you can put "export XAUTHORITY=~/.Xauthority" in your .bashrc, so that
when you "su" you can run programs as root without any additional
steps")

or you can merge the contents of that other user's .Xauthority with your
own by doing

    xauth -merge /home/user/.Xauthority
    X_program_to_run

This is what ssh does to allow remote connections (in addition to
tunneling)

2. host based access

You can run a command like what Carl Fink suggested:
    xhost local:+

and if you had tcp/ip enabled for X (by removing the nolisten tcp from
/etc/X/xinit/xserverrc or your DM specific config file) you can allow
users from other machines as well

    xhost inet:hostname

Any of these methods should work, I believe that sudo does #1 for you,
but I can't say for certain. In my opinion, ssh + X tunneling and
xauthority files beat xhost statements easily (security granularity and
ease of use). Whew, a little more than a minute, but I hope that helps
you.

-Mark

P.S. an even easier answer to your original question is that there are
openoffice.org debs in sid

Reply to:

References:
- Root login
  - From: Johan van der Walt <johan@fskdjvdw.puk.ac.za>

Prev by Date: Re: Spam filter reviews?
Next by Date: php4/libc6 problems
Previous by thread: Re: Root login
Next by thread: mozilla/unstable doesn't want to work with j2re1.4 ?
Index(es):
- Date
- Thread