Xserver authorization/security

To: debian-user@lists.debian.org
Subject: Xserver authorization/security
From: listcomm@ml1.net
Date: Tue, 07 Sep 2004 14:47:58 -0700
Message-id: <[🔎] 1094593678.26989.203883665@webmail.messagingengine.com>

I'm trying to get my single-user system set up so that
programs running as root to be able to open windows, etc.
(ref. the infernal message "Not allowed to connect to
server", etc. etc.)

Thus far, I've been able to get this to work by five
methods: (1) login and start "xdm" as root, (2) use "su -m"
from a "normal" account and run the root-owned
program from the resulting shell, (3) use "xauth" to export a "Magic
Cookie" from the account that started the server, log in as root
and use "xauth" to absorb the "Magic Cookie" (some people seem to
think that this convoluted mess is somehow something that an
ordinary user should be happy to put up with), (4) use "xhost +local"
from the account which started "xdm" prior to running a program
owned by root, (5) turn off security in the server by
setting the correct resource switch (forget the name right
offhand) to "false" in the "xdm" configuration file.

The first four methods require manual intervention, and the last
is probably a security risk.

I have as yet been unable to get any script that I have installed
anywhere in any startup file for the system ("init.d", et. al.)
or the X server ("Xaccess", et. al.) to successfully allow
server access to "root".  I run into $DISPLAY not
having been set yet because the server hasn't started
yet, or "xhost" not being able to accept a "-display" argument,
or the server not having been started, or things just not
having any effect for reasons unknown (the "/etc/X0.hosts" file
is an example of the latter; even *when* putting an argument like
"local" in there *does* cause "xhost" to report "LOCAL:" in its
query output, it *still* doesn't allow root access to the display).
Etc., etc., etc.

Does turning off authorization checking in the server config file
allow access to the server from outside the local host?

Is there any way, in the server config file (since that seems to be
the only place where anything I've done has any affect at all), that
I can selectively authorize server access?

Why doesn't the "X0.hosts" file have any effect?  The documentation
(which is distributed randomly around 8 different manuals etc. as
usual, but, whatever) implies that that file will only have an effect
if all other security methods ("Magic Cookies", etc. etc.) are disabled
- is that true, and if so, how can I turn all of those off?

Does anyone have any *other* ideas w/r/t how to install a system-level
shell
script somewhere, that will run an "xhost +local" command that will
establish
root access to the server?

W/r/t this last question, when I say "system-level", I mean as opposed
to
"user-level" i.e. run from an initialization file in the home directory
of whatever user started the server (and incidentally, does Linux
support
use of a ".login" file?  I don't see any reference to it anywhere).

Reply to:

Follow-Ups:
- Re: Xserver authorization/security
  - From: Stefan O'Rear <stefanor@cox.net>

Prev by Date: spamassassin upgrade (testing) has qmailu error spamd lines 1123, 1145
Next by Date: pureftpd (testing) size breaks files under subdirs > 2.1gbs
Previous by thread: spamassassin upgrade (testing) has qmailu error spamd lines 1123, 1145
Next by thread: Re: Xserver authorization/security
Index(es):
- Date
- Thread