"Noah L. Meyerhans" wrote: > > On Wed, Nov 29, 2000 at 04:38:09PM +0100, robert_wilhelm_land wrote: > > <snipped stuff about linking /root/.Xauthority to ~user/.Xauthority> > > > > No! Don't do this! By doing so you are lowering the security level of > > > your machine down to your user account. It's bad enough that security > > > depends on a root account; it should *never* depend on a user account. > > > > > > Lowering only the X11 root permissions or the permisions of all apps? > > > > I tried to edit /etc/passwd by user "rland" and it did not work. So > > file restrictions do not seem to be affected by root accessing > > .Xauthority in the rland ~/. > > No, it doesn't affect how actual commands behave. Root's account should > be a protected and self-contained account. That's one of the reasons > that root's not allowed (by default) to log in via the network. By > having root read a user's configuration files, you're setting things up > such that the ability to access your configuration file is identical to > the ability to access root's config file. Any unauthorized access to > your account implies access to root's account. In other words, if > somebody cracked your machine in such a way that they could log in as > you (*much* easier than cracking root access) they could use the fact > that root reads your config files to gain root access. They could > effectively modify root's .Xauthority simply by editing your own.
Thanks for your response, Noah. Noah, unfortunatly I'm not able to follow your explaination because I have no precise imagination exactly how the link lowers the system security. I have had a look into .Xautority, but its a binary. Then the link someone suggested is uni-directional and not bi-directional. So if I would set the /root dir to drw- --- --- nobody would be able to see the link. After all, this autority file only seems to restrict X11 access and as a newbie I have absolutely no idea what might happen when setting the suggested link. The only thing which just pops up into my mind is the TCP traffic OS<->X11 which might be spoofed when lowering X11 root permissions. Was that what you wanted to say? But how can this happen when keeping only to a local mashine? Robert