[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#196732: xserver-common: nix 'allowed_users' in Xwrapper.config; use 'xok' group instead

retitle 196372 xserver-common: improve documentation of allowed_users
severity 196372 minor
tag 196372 - wontfix

On Tue, Jun 10, 2003 at 01:39:33AM -0000, Sean Champ wrote:
> On Mon, 9 Jun 2003 12:01:22 -0500, Branden Robinson <branden@debian.org>, 196732-quiet@bugs.debian.org wrote:
> >I am probably not going to act on your implicit request (to trash the
> >allowed_users variable and functionality). 
> >
> >The reason is that, as documented in Xwrapper.config(5), "allowed_users"
> >doesn't have to do with the invoking user's identity, but rather whether
> >or not the user has control of a virtual console device. 
> Well, thanks; i get the /intent/ of it, now. 
> However, when the variable is set to "rootonly", the /effect/ is one
> that is based entirely on the user's identity. 

Well, yeah, that's the intent.  If allowed_users is "rootonly", only
root can start the X server.

Here's the C code that enforces the restrictions:

static int
checkSecLevel(SecurityLevel level)
  struct stat s;

  switch (level) {
  case RootOnly:
    if (getuid() == 0) { /* real uid is root */
      return TRUE;
    } else {
      return FALSE;
  case Console:
    if (getuid() == 0) return TRUE; /* root */
    /* see if stdin is a virtual console device */
    if (fstat(0, &s) != 0) {
      (void) fprintf(stderr,"X: cannot stat stdin\n");
      return FALSE;
    if (S_ISCHR(s.st_mode) &&
        ((s.st_rdev >> 8) & 0xff) == VT_MAJOR_DEV &&
        (s.st_rdev & 0xff) < 64) {
      return TRUE;
  case Anybody:
    return TRUE;
  return FALSE;

I do not think we are completely understanding each other.  Did you
misunderstand the meaning of the allowed_users variable, or did you
understand it but simply want it to work differently?

(Perhaps "allowed_users" should be renamed to "access_policy".)

G. Branden Robinson                |    Imagination was given man to
Debian GNU/Linux                   |    compensate for what he is not, and
branden@debian.org                 |    a sense of humor to console him for
http://people.debian.org/~branden/ |    what he is.

Attachment: pgpZnHyXEdlSd.pgp
Description: PGP signature

Reply to: