> I installed the smail package and related files. How can I be sure > this is being used and not sendmail? Also when I su to root from a > user account and try to run an X program I get the following message: > > Xlib: Invalid MIT-MAGIC-COOKIE-1 key > > Initialization error: X server not responding > : ":0.0" > > I am not sure what to do with this. TIA
Someone asked a similar question a few months ago. Here is my response together with a correction/clarification of the problem/solution. I hope this helps, Kirk ----Forwarded Message:---- Tom Allard wrote: > > Kirk Hogenson wrote: > > > The problem is that "you" own the X session, "root" doesn't. > > > > The easiest way to get this to work is to type > > > > xhost + localhost > > > > before you do your su. This means that you'll let anyone > > from the host "localhost" (ie, your computer) connect to your > > X. > > > > However, I recall there were some security risks associated with > > using xhost like this... maybe someone else will point them out. > > Ok, I will. If you do that, ANYONE on the hosts added can capture > keys, dump your window, and virtually hijack your computer > completely. > > > If you aren't connected to a network (or just dial up occasionally > > using, eg, ppp) then you should have no problems. (Using > > "xhost + localhost" helps, lots of people just use "xhost +", > > which allows *anyone* from *anywhere* access -- bad idea.) > > I really think there is no reason to *ever* do "xhost + anything". > > First, Tcl's "send" command will not operate if xhost security is > allowed at all. That would break things like exmh which use send to > talk to a background process. Tcl disables "send" when "xhost +" is > used because it would otherwise allow simple control of *everything* > (send combined with exec). > > While "send" is not a security issue when "xhost +" is used, you lose > functionality, even if you never ever connect to any other computer. > > The other reason not to ever run "xhost +" is because there are better > ways to share your X session. For root, it is extremely easy. For > other users, it's a little more tricky: > > For root: > > root# XAUTHORITY=/home/your_id/.Xauthority > root# DISPLAY=:0.0 > root# export XAUTHORITY DISPLAY > > "your_id" is the id of whoever ran "startx". > > For NON-root users: > > You can use "xauth" to extract the key from one user and to add the > key to the other. The tricky part is in keeping it secure in the > meantime. Encrypting with pgp is one possibility. > > To extract a key: > > user1% xauth extract my_key $DISPLAY > > The file my_key has your key in it (xauth SHOULD create it with user > rw permissions only). Do whatever you need to to securely transfer it > to the other user, and then have that user run: > > user2% xauth merge my_key > user2% DISPLAY=:0.0 > user2% export DISPLAY > > Note that user2 now has complete control to your X session until you > end it and start a new one (at which time a new key will be > generated). If user1 is running any Tcl application which has send > enabled (default), user2 can tell that Tcl application to exec > arbitrary commands and return the results to user2. There is also > nothing prohibiting user2 from giving the key to user3! You wouldn't > want to do this to someone you didn't trust. > > As far as I know, you can't change the xauth key during a session. > Still, this is far better than giving unlimited users access to your X > session. > > Finally, your keys are stored in ~/.Xauthority, so make sure you don't > give global access to it. > > rgds-- TA ([EMAIL PROTECTED]) > I don't speak for the Federal Reserve Board, it doesn't speak for me. >
