[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is "xhost +si:localuser:root" safe?

On 2014-07-22 23:11:21 +0200, Martin Steigerwald wrote:
> Am Dienstag, 22. Juli 2014, 17:48:24 schrieb Vincent Lefevre:
> > To be able to save/restore the XKB keymap in a /etc/pm/sleep.d script
> > (as a workaround for Debian bug 633849), xkbcomp needs to have access
> > to the display. The simplest solution I've found is a
> > 
> >   xhost +si:localuser:root
> > 
> > in my .xsession file.
> I think more fine grained would be to use xauth extract / xauth merge.

Yes, perhaps a merge with ~root/.Xauthority

> Or just:
> export XAUTHORITY=/home/$USER/.Xauthority

No, this will clash with gdm3 (if I choose to use it again).

> > I thought that this would be more or less equivalent to the current
> > status as root can due pretty much anything, such as getting the
> > user's X authority file via /proc/*/environ (my sleep.d script
> > could do the same thing, but this is a rather dirty solution).
> Hmmm, okay, so tought about this solution. Why do you think it is dirty?

This is potentially insecure. I'm the only user of the machine, but
I want to method to still be safe if there are other users, just in
case. Some user may introduce fake XAUTHORITY values, such as a
symlink pointing to some /dev file... I don't like that.

> > 
> > [*] https://lists.debian.org/debian-user/2014/05/msg00045.html
> >     http://superuser.com/a/573839 (This one even says that this
> >     isn't much different from a raw "xhost +"!)
> Well root can always set XAUTHORITY to some random user .Xauthority
> file, so I don´t see much of a difference.

The problem is that "xhost +" allows other non-root users to accede
the display of the user doing the "xhost +". "xhost +si:localuser:root"
doesn't have this problem.

Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to: