On Wed, Nov 29, 2000 at 04:38:09PM +0100, robert_wilhelm_land wrote: <snipped stuff about linking /root/.Xauthority to ~user/.Xauthority>
> > No! Don't do this! By doing so you are lowering the security level of > > your machine down to your user account. It's bad enough that security > > depends on a root account; it should *never* depend on a user account. > > > Lowering only the X11 root permissions or the permisions of all apps? > > I tried to edit /etc/passwd by user "rland" and it did not work. So > file restrictions do not seem to be affected by root accessing > .Xauthority in the rland ~/. No, it doesn't affect how actual commands behave. Root's account should be a protected and self-contained account. That's one of the reasons that root's not allowed (by default) to log in via the network. By having root read a user's configuration files, you're setting things up such that the ability to access your configuration file is identical to the ability to access root's config file. Any unauthorized access to your account implies access to root's account. In other words, if somebody cracked your machine in such a way that they could log in as you (*much* easier than cracking root access) they could use the fact that root reads your config files to gain root access. They could effectively modify root's .Xauthority simply by editing your own. I'm sure you'll think that that's very far fetched and extremely unlikely to happen. You're right, it probably won't ever happen. But it is something that you should be aware of and it's good to avoid it. It is a bad habbit to get in to. There are better and more secure ways to give root access to your user's X server. You should use those. Hope that clarifies things. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgp8nshVlDDiP.pgp
Description: PGP signature
