Hello Chris, On Wed, Aug 08, 2018 at 08:58:24PM +0200, Chris Hofstaedtler wrote: > * Helge Kreutzmann <deb...@helgefjell.de> [180808 18:57]: > > On Tue, Aug 07, 2018 at 08:20:23PM +0100, Simon McVittie wrote: > > > Andreas already asked for a merge request, so it seems that proposing a > > > patch would indeed be welcome. > > > > I'll do, incorporating your excellent explaination. I'll do so until > > the end of the week (latest). > > Gentle reminder about this.
Here you are: --- ./su.1.orig 2017-09-27 11:05:13.717361420 +0200 +++ ./su.1 2018-08-09 21:04:24.370998117 +0200 @@ -261,6 +261,27 @@ .RS .br session required pam_lastlog.so nowtmp +.PP +.RE +Further by default +.B su +does not allow the commands to access the current X display. To allow +graphical applications with the privileges of a different user +(called "otheruser" in this example) several +options exists. These are, in order of preference (security-wise): +.RS 10 +.TP +o +Use a separate X display (e.g. "Switch User" in GNOME, or the equivalent fast-user-switching feature in other desktop environments), or a "thicker" remoting layer like VNC, Spice or Xpra. +.TP +o +Use ssh, e.g. "ssh -X -oForwardX11Trusted=no otheruser@localhost". +.TP +o +Allow \fBsu\fR explicit display access by issuing "xhost +si:localuser:otheruser" in +the originating X session and "DISPLAY=:0 command" under \fBsu\fR. +This has serious security implications and hence should only be used in +trusted environments. .RE .SH "SEE ALSO" .BR setpriv (1), Feel free to update. Greetings Helge -- Dr. Helge Kreutzmann deb...@helgefjell.de Dipl.-Phys. http://www.helgefjell.de/debian.php 64bit GNU powered gpg signed mail preferred Help keep free software "libre": http://www.ffii.de/
signature.asc
Description: Digital signature