Superuser on MY system can do anything. He/she can shutdown the
system, delete my home directory, delete /usr, etc. There is
no logical reason that superuser on my own system cannot connect
to anyone's display by default. There is no security in this
behavior given the powers of superuser/root as listed above.
Connecting to a user's display as root is nothing compared to
the other security issues, system safety issues that automatically
reside with root/superuser.
How can su not being able to, by default, connect to my display
(as I login as superuser rather than login as root at the
getgo - which is THE recommended way to administer things)
be safe and secure? Su can kill my session at will, delete
my name/password, delete my directory, etc. With all that,
being able to simply connect to my display by default so that
it is simple for su to administer the system - run control-panel,
linuxconf, etc - is doable by default. I run this system.
I need to alter things from time to time. It is a royal pain
for the default behavior to require that a user logout, root
login and do his thing, logout, let the user relogin. This
inability to connect to display by default makes this NECESSARY.
If su could connect to a display by default, a user (myself who
is also the arbiter of what this system is or will be, etc)
would not have to logout and root would not have to login.
That is why this automatic, default behavior towards a system's
superuser is ridiculous. It is not more secure to do things this
way given the power of superuser overall. If someone who isn't
authorized to run su cracks into root, then all is lost
REGARDLESS of the supposed security of su not being able to
connect to a user's display.
patrick
-----Original Message-----
From: Tom Gilbert [mailto:[EMAIL PROTECTED]]
Sent: Sunday, January 30, 2000 6:27 AM
To: Patrick O Neil
Cc: recipient.list.not.shown
Subject: Re: cannot connect to display :0.0
* Patrick O Neil ([EMAIL PROTECTED]) wrote:
> I know this has been asked off and on in the past but...
> I would REALLY like to eliminate this annoyance once
> and for all. My feeling is that as superuser, this
> should NEVER apply, EVER. As su I can do ANYTHING
> and I should not be prevented from connecting to
> display this or that at all.
>
> Basically, I go to su in an xterm and try to run
> linuxconf, control-panel, or whatever and I keep
> getting the annoying message that I cannot connect
> to display :0.0. How do I fix things so that I
> CAN connect to :0.0 as su no matter what?
>
> Please direct me to a howto, faq, or simply tell me
> how I fix this?
>
> patrick
In your ~/.xinitrc (or .xsession if you use runlevel 5), add the line:
xhost +localhost
before the line which starts your wm.
As to your comment:
> My feeling is that as superuser, this
> should NEVER apply, EVER. As su I can do ANYTHING
> and I should not be prevented from connecting to
> display this or that at all.
So if I su on my machine, then I should be able to connect to your X
server and execute commands as root? That's very generous of you, but
also foolish ;)
The reason you can't do it by default is simply security. By default,
other people can't connect to your X server and do stuff. You have to
specifically let them. This is the way it should be.
Tom.
--
.-------------------------------------------------------.
.^. | Tom Gilbert, England | [EMAIL PROTECTED] |
/V\ |----------------------| www.tomgilbert.freeserve.co.uk |
// \\ | Sites I recommend: `--------------------------------|
/( )\ | www.freshmeat.net www.enlightenment.org slashdot.org |
^^-^^ `-------------------------------------------------------'
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.