on Mon, Jan 29, 2001 at 03:58:02PM -0700, Gary Hennigan ([EMAIL PROTECTED]) wrote: > kmself@ix.netcom.com writes: > > on Sun, Jan 28, 2001 at 02:12:44AM -0800, Terry Carney > > ([EMAIL PROTECTED]) wrote: > > > On Sat, 27 Jan 2001, Christopher R. Barry wrote: > > > > > > > Xlib: connection to ":0.0" refused by server > > > > Xlib: Client is not authorized to connect to Server > > > > Error: Can't open display: :0.0 > > > > > > > > I guess tonight I finally want to get around to figuring out how to > > stop this > > > > from happening. What do I do so I can run programs as root? > > > > > > The following works for me. All on one line in case of wordwrap. > > > > > > XAUTHORITY=/home/username/.Xauthority;DISPLAY=:0.0;export XAUTHORITY > > DISPLAY > > > > *Don't* do this. > > > > You're now allowing access to root's X display via an unprivileged > > user's file. If that file is compromised, root's X access is > > compromised. This includes changing the value of the cookie in the > > file. > > > > Better to merge against a user's file. This allows you to match the > > present state of the file, but prevent future values from being applied > > to root's X authorization keys. Puts root in stronger control. > > I guess I don't understand the difference. If the user's ~/.Xauthority > file is compromised, and that user owns the X session, all bets are > off. Anything opened as root, and displayed in the user-owned X > session, is up for grabs.
Yes, but: root can revoke the cookie. If you point to, or worse, link to, a user file, root no longer has immediate control over its own X session and cookie values. I need to research how Xauthority works, I believe it's not as wide open as I seem to fear. I still don't think it's a good practice, and might lead to problems with, say, multiple users as root at the same time -- not unlikely in a shared system with shared root access, whether via password or sudo. Points about security as compromise taken. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What part of "Gestalt" don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org
pgpdNhf3QTkZl.pgp
Description: PGP signature
