On Sun, May 08, 2011 at 11:51:40PM +0200, Vincent Zweije wrote: || Looking at /etc/ati/authatieventsd.sh, this piece of code is wrong:
|| > revoke)
|| > if [ `pinky -fs | awk '{ if ($3 == "'$2'" || $(NF) == "'$2'" ) {
print $1; exit; } }'` ]; then
|| > user=`pinky -fs | awk '{ if ($3 == "'$2'" || $(NF) ==
"'$2'" ) { print $1; exit; } }'`
|| > su $user -c "xauth -f $3 remove $2" || exit -1
|| > else
|| > xauth -f $3 remove $2 || exit -1
||
|| And strictly speaking, the same twice here, but the secret is being
|| removed so exploiting its knowledge would be very hard though not
|| theoretically impossible. Anyway, if your fixing the grant case, do the
|| revoke case at the same time so they use the same method. It's just good
|| software engineering.
I think I had my eyes crossed here. No secret cookie is being mentioned,
only the display name which is not secret.
Ciao. Vincent.
--
Vincent Zweije <[email protected]> | "If you're flamed in a group you
<http://www.xs4all.nl/~zweije/> | don't read, does anybody get burnt?"
[Xhost should be taken out and shot] | -- Paul Tomblin on a.s.r.
signature.asc
Description: Digital signature
