Control: retitle 905409 util-linux: "su -" no longer copies DISPLAY and
XAUTHORITY to child, but this is not documented
I'm retitling the bug since the new su implementation does break patterns
involving xhost that used to work, but it is not the xhost step that
is affected, making the title misleading.
On Sun, 05 Aug 2018 at 05:40:32 +0200, Andreas Henriksson wrote:
> On Sat, Aug 04, 2018 at 08:59:29AM +0200, Davide Prina wrote:
> > $ xhost +si:localuser:temp
> > $ su - temp
Please note that this pattern gives the temp user the ability to log
everything that you type into other X applications, and gives the temp
user the ability to inject input into your other X applications. That
is usually enough to let the temp user escalate privileges to those of
the initiating user, defeating the purpose of using separate users.
If you want privilege separation, X is unfortunately not the right tool.
Consider using a separate X display (for example "Switch User" in
GNOME, or the equivalent fast-user-switching feature in other desktop
environments), or a "thicker" remoting layer like VNC, Spice or Xpra.
It is also worth considering using ssh to localhost instead of su:
ssh already needs to know about differing privilege, and
"ssh -X -oForwardX11Trusted=no" might be able to mitigate the design
issues in X.
On Mon, 06 Aug 2018 at 17:31:35 +0200, Helge Kreutzmann wrote:
> this change (requiring a DISPLAY=:0) is really suprising. I'v used su
> for ages and a simple xhost + (yes, I know that this has security
> implications) was sufficient.
"xhost +" grants access to your display to *literally any user*,
including special-purpose system users like "nobody" and the users
that run network servers. Please avoid this pattern! If you need to
grant unlimited access to your display to another user, at least use
"xhost +si:localuser:$THEIR_USERNAME". (Or, again, consider using a
separate X display, or Xpra, or similar.)
> Plese document this in a public place, the best would be the man page
> as that is where users are looking for (a NEWS entry would only catch
> administrators once).
>
> I suggest putting it under NOTES. If you like, I can draft up a patch.
Andreas already asked for a merge request, so it seems that proposing a
patch would indeed be welcome.
smcv
