Re: Newbee-ish X and root question

To: debian-user@lists.debian.org
Subject: Re: Newbee-ish X and root question
From: Vineet Kumar <debian-user@virtual.doorstop.net>
Date: Tue, 25 Mar 2003 13:55:18 -0800
Message-id: <[🔎] 20030325215518.GA26808@doorstop.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20030325193212.19758.qmail@web41113.mail.yahoo.com>
References: <[🔎] 2D14766B2568D611A80B0008C733F3DD01632209@foothill-svr-03.nike.com> <[🔎] 20030325193212.19758.qmail@web41113.mail.yahoo.com>

* Lukas Latz <lukaslatz@yahoo.com> [20030325 13:21 PST]:
> Barry,
> 
> su -m surely does it. So what property that's carried over is it that
> makes the difference?

Two things.  Environment variables, to be precise.  The two in question
are DISPLAY and XAUTHORITY.  The former tells X clients where the
display is (after all, it could be another X server on this machine, or
another machine entirely ... it s X after all =).  The latter tells X
clients how to authenticate themselves to that display.  Your display is
smart enough to not just allow anybody that tries to connect to it.  The
dangers of such actions are greater than just anybody being able to
display nasty pictures on your screen, but also to take more control
over your X session's behavior, such as changing the way your pointer
and/or keyboard behave.  Note that using xhost generally leaves your
arse wide open like this, which is why You Should Never Use Xhost.  (If
you don't know what xhost is, great.  Just know that if anybody ever
tells you to use it, they're giving you bad advice.)

The XAUTHORITY environment variable points to a file in which a 'magic
cookie' is stored.  The X server won't allow any client to connect if it
doesn't know the magic cookie.  When you 'su -m', your original XAUTHORITY
environment variable is still present in root's environment.  This
points at a file in your non-root-user's home directory.  Since you're
now root, you have permission to read that file and get the magic cookie
contained inside.  The corollary is that this method won't work (without
a minor adjustment) when using 'su -m' to become another non-root user.
For that, you can either use the xauth tool or modify the permissions on
your xauthority file to allow the other user to read it.  (Or you can
manually give them the cookie, which is basically something that xauth
will help you do less manually.)

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
"If we do not believe in freedom of speech for those we despise we do not
believe in it at all."  --Noam Chomsky

Attachment: pgpnAiHLskdns.pgp
Description: PGP signature

Reply to:

References:
- RE: Newbee-ish X and root question
  - From: "deFreese, Barry" <Barry.deFreese@nike.com>
- RE: Newbee-ish X and root question
  - From: Lukas Latz <lukaslatz@yahoo.com>

Prev by Date: Re: Good open source primer?
Next by Date: Mozilla Calendar servers
Previous by thread: RE: Newbee-ish X and root question
Next by thread: Re: Newbee-ish X and root question
Index(es):
- Date
- Thread