Re: x-display-export policy von woody
Niels Heinemann [EMAIL PROTECTED] wrote: es ist mir in woody nicht mehr moeglich, als root den xserver eines users zu nutzen. das geht weder mit xhost/xauth und export noch mit ssh (-X). unter potato und anderen distris wars kein problem. [...] Zu xauth/xhost: /usr/share/doc/xfree86-common/README.Debian-upgrade.gz | TCP AND UDP PORT LISTENING DISABLED BY DEFAULT: downhill:~# XAUTHORITY=/home/ametzler/.Xauthority DISPLAY=:0.0 xlogo funktioniert, das hier downhill:~# XAUTHORITY=/home/ametzler/.Xauthority DISPLAY=localhost aber nicht. Zu ssh: /usr/share/doc/ssh/README.Debian.gz | X11 Forwarding: |--- | ssh's default for ForwardX11 has been changed to ``no'' sshd_config(5) | X11Forwarding | Specifies whether X11 forwarding is permitted. The default is | ``no''. cu andreas -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: x-display-export policy von woody
howdy, andreas. Andreas Metzler wrote on Sat, 27 Jul 2002 08:51:24 +0200: Zu xauth/xhost: /usr/share/doc/xfree86-common/README.Debian-upgrade.gz | TCP AND UDP PORT LISTENING DISABLED BY DEFAULT: aehemm. vielen dank - das habe ich uebersehen. insofern funktioiert es mit der portangabe ohne den host tatsaechlich. .Xauthority hab ich nun einfach softgelinkt (single-user-box). Zu ssh: /usr/share/doc/ssh/README.Debian.gz | X11 Forwarding: --- ssh's default for ForwardX11 has |been changed to ``no'' ja, das stimmt. der -X switch sollte aber dennoch gehen. denn das default-forwarding wurde ja disabled. 1000dank nochmal und gruesse, niels -- | /\ (niels|www.)ortschmiede.de | \ / ASCII-Ribbon-Campaign pgp|gpg - mails preferred | X Against HTML Mail | / \ msg13730/pgp0.pgp Description: PGP signature
Re: x-display-export policy von woody
Niels Heinemann [EMAIL PROTECTED] wrote: [...] Zu ssh: /usr/share/doc/ssh/README.Debian.gz | X11 Forwarding: --- ssh's default for ForwardX11 has |been changed to ``no'' ja, das stimmt. der -X switch sollte aber dennoch gehen. denn das default-forwarding wurde ja disabled. Nein, es wurde auch serverseitig im sshd per default abgeschaltet, da kann das Clientprogramm so laut wie es will -X rufen, es nutzt nichts, wenn es der Server nicht erlaubt. cu andreas -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: x-display-export policy von woody
howdy, again. Andreas Metzler wrote on Sat, 27 Jul 2002 12:34:18 +0200: Nein, es wurde auch serverseitig im sshd per default abgeschaltet, da hast du recht. dank dir fuer die kleinschrittige hilfe ... gruss, niels -- | /\ (niels|www.)ortschmiede.de | \ / ASCII-Ribbon-Campaign pgp|gpg - mails preferred | X Against HTML Mail | / \ msg13741/pgp0.pgp Description: PGP signature
X won't allow display export...
I am unable to successfully export the display from one of my Debian boxen to another. I tried the following on the box I was using X on: xhost + and the following on the box I was trying to export the display from: export DISPLAY=10.1.1.33:0.0 Normally, this has worked under other distros and Unices (I have a Mandrake box and two SPARC's running Solaris 8 here), but I can't get it to work under Debian. Is there some package I've forgotten to install?? --Aaron Traas
Re: X won't allow display export...
Go to the machine you're trying to push X to (the one where you did xhost +) and cd to /etc/X11/xinit and vi xserverrc I believe. Make sure the option -nolisten tcp has been removed. If not, remove those 2 words and restart X. I wish it could be done without restarting X but I don't know how. Security feature. Thus spake Aaron Traas ([EMAIL PROTECTED]): I am unable to successfully export the display from one of my Debian boxen to another. I tried the following on the box I was using X on: xhost + and the following on the box I was trying to export the display from: export DISPLAY=10.1.1.33:0.0 Normally, this has worked under other distros and Unices (I have a Mandrake box and two SPARC's running Solaris 8 here), but I can't get it to work under Debian. Is there some package I've forgotten to install?? --Aaron Traas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] :wq! --- Robert L. Harris| Micros~1 : Senior System Engineer |For when quality, reliability at RnD Consulting | and security just aren't \_ that important! DISCLAIMER: These are MY OPINIONS ALONE. I speak for no-one else. FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
AW: X won't allow display export...
I do it this way: * start xterm (or any X-shell) on the client box * xhost + * ssh -X -l user server_name * type xterm and you are in your server. Dieter I am unable to successfully export the display from one of my Debian boxen to another. I tried the following on the box I was using X on: xhost + and the following on the box I was trying to export the display from: export DISPLAY=10.1.1.33:0.0 Normally, this has worked under other distros and Unices (I have a Mandrake box and two SPARC's running Solaris 8 here), but I can't get it to work under Debian. Is there some package I've forgotten to install?? --Aaron Traas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: AW: X won't allow display export...
* start xterm (or any X-shell) on the client box * xhost + ^^^ this is overkill if you're going to use ssh; * ssh -X -l user server_name the -X forwards X packets so there's no need to turn off X security with xhost. -- Andrew J Perrin - [EMAIL PROTECTED] - http://www.unc.edu/~aperrin Assistant Professor of Sociology, U of North Carolina, Chapel Hill 269 Hamilton Hall, CB#3210, Chapel Hill, NC 27599-3210 USA On Tue, 31 Jul 2001, Schoppitsch Dieter wrote: I do it this way: * start xterm (or any X-shell) on the client box * xhost + * ssh -X -l user server_name * type xterm and you are in your server. Dieter I am unable to successfully export the display from one of my Debian boxen to another. I tried the following on the box I was using X on: xhost + and the following on the box I was trying to export the display from: export DISPLAY=10.1.1.33:0.0 Normally, this has worked under other distros and Unices (I have a Mandrake box and two SPARC's running Solaris 8 here), but I can't get it to work under Debian. Is there some package I've forgotten to install?? --Aaron Traas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: X won't allow display export...
Robert L. Harris [EMAIL PROTECTED] writes: Make sure the option -nolisten tcp has been removed. Or if you don't trust the network, tunnel the connection via ssh.
Re: X won't allow display export...
Aaron Traas, What about DISPLAY=:0.0? Aaron Traas ([EMAIL PROTECTED]) said thusly on [31/07/01 at 16:25]: and the following on the box I was trying to export the display from: export DISPLAY=10.1.1.33:0.0 The radical invents the views. When he has worn them out, the conservative adopts them. Notebooks
Re: display export??
Simply execute 'xhost +localhost' before doing a su. the use of xhost to do this is grequentlyh considered a security risk by folks who understand such things (But I'm not one of them, so don't ask me to explain why :) There's (at least) two secure ways to do things. One is to, as the logged in user, type xauth list $DISPLAY and receive something back like hawkins/unix:0 MIT-MAGIC-COOKIE-1 89978798dea097090890907890 then, in your root window, type xauth add $DISPLAY MIT-MAGIC-COOKIE-1 89978798dea097090890907890 (use the mouse to cut and paste; you're not likely to type that many hex digits correctly) another way is to use ssh, which tunnels X. I have the alias alias rw nice xterm -bg pink -fg black -geom 80x25-5+200 -T [EMAIL PROTECTED] -e ssh localhost -lroot to launch the terminal, label it, paint it pink as a warning, and begin the ssh session. hawk
Re: display export??
On Thu, Jul 13, 2000 at 08:52:22PM -0400, Noah L. Meyerhans wrote: -BEGIN PGP SIGNED MESSAGE- On Fri, 14 Jul 2000, Ragga Muffin wrote: do I need to export DISPLAY localhost? Im not sure of the syntax...am I on the right track? Yes and no. What yuo need to do is temporarily permit x-connections from your localhost if you want to start an x program with a different user than the current session (in this case root) Simply execute 'xhost +localhost' before doing a su. I think that doing xhost local:root is better. There are 2 reasons for this: 1. You're specifying a user name, which gives added security if you've got a multi-user system. 2. You're specifying a local connection, not a connection that uses a network interface. The X server connections with use Unix sockets, not TCP sockets. This gives you less overhead since you don't have to send all your data through a TCP stack. The solution I found awhile ago was to link /root/.Xauthority to /home/user/.Xauthority John noah ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOW5kTIdCcpBjGWoFAQGFjAP/V/dalkL6GK7O8Mwbgd//3GpLQLU7e5GG wPl9hHIZm8tjx1FOHlxtnpxHw8RREof1ttubhR1n2Rvs8UVXfHpqIf0V5nQf2FGA viuMT6NUtFfi2fcvq9607vc2nPPR8yqwe5aMFhVV3fj13PpIYRqxz0nnuH7NoU+F 3AN2DeTRBDo= =MEnf -END PGP SIGNATURE- -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null -- Using Linux
display export??
Im new to debian so Im not familiar with all the display settings. When I used mandrake, there were certain programs that needed to be run as root - like linuxconf/mtv/xcdroast etcall I needed to do was su and run them. Now in debian when I try such a move, i get a "cant set display" not authorized do I need to export DISPLAY localhost? Im not sure of the syntax...am I on the right track?
Re: display export??
Ethan Pierce wrote: Im new to debian so Im not familiar with all the display settings. When I used mandrake, there were certain programs that needed to be run as root - like linuxconf/mtv/xcdroast etcall I needed to do was su and run them. Now in debian when I try such a move, i get a cant set display not authorized do I need to export DISPLAY localhost? Im not sure of the syntax...am I on the right track? The problem is that the xserver session belongs to you as a user, and it doesn't want anyone else, including root, to be executing clients on the same platform. I'm not understanding how to directly change this, but an easy work-around is to CTL-ALT-F2...F3, log in as root, and startx -- :1. This starts a new display. Then, you can flip between them with CTL-ALT-F7 ... CTL-ALT-F8. -- [EMAIL PROTECTED] 972-729-5387 [EMAIL PROTECTED] (home phone on request) http://www.koyote.com/users/bolan RE: xmailtool http://www.koyote.com/users/bolan/xmailtool/index.html I am the ILOVEGNU signature virus. Just copy me to your signature. This email was infected under the terms of the GNU General Public License.
Re: display export??
-BEGIN PGP SIGNED MESSAGE- On Thu, 13 Jul 2000, Bolan Meek wrote: snipped stuff about X server security I'm not understanding how to directly change this, but an easy work-around is to CTL-ALT-F2...F3, log in as root, and startx -- :1. This starts a new display. Then, you can flip between them with CTL-ALT-F7 ... CTL-ALT-F8. There's a much easier workaround for this: Give root permission to access the display (i.e. the X Server). There are many issues with allowing any kind of access to the X server, and you don't want to do it unnecessarily. But in this case, since everybody (your user and the root login via su) it's probably safe. As the user who owns the X session, run 'xhost local:root' Then as the root user (in the shell where you'll be running commands as root), run 'export DISPLAY=:0' to tell X clients run within that shell what display to access. HTH. noah ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOW4nHodCcpBjGWoFAQGtawQAgMuiiXPKGc88BnGhkJ4fcZwVMgbdGWCe enXp1bekaKKl4cvV+DUihdJ0E+SuozpgR+Bo3gGYa0NTG3okvEAYVB34Obo3TTYC S52XQsLv9gUaT3UpOyhM/6EdPlM66r4QxhRTHC0wHHsZDVd6OnQOLP7WHi0B2bMc DGBg1vEfC+M= =qV/t -END PGP SIGNATURE-
Re: display export??
Ethan Pierce [EMAIL PROTECTED] wrote: Im new to debian so Im not familiar with all the display settings. When I used mandrake, there were certain programs that needed to be run as root - like linuxconf/mtv/xcdroast etcall I needed to do was su and run them. Now in debian when I try such a move, i get a cant set display not authorized do I need to export DISPLAY localhost? Im not sure of the syntax...am I on the right track? Yes and no. What yuo need to do is temporarily permit x-connections from your localhost if you want to start an x program with a different user than the current session (in this case root) Simply execute 'xhost +localhost' before doing a su. HTH -- Ragga
Re: display export??
-BEGIN PGP SIGNED MESSAGE- On Fri, 14 Jul 2000, Ragga Muffin wrote: do I need to export DISPLAY localhost? Im not sure of the syntax...am I on the right track? Yes and no. What yuo need to do is temporarily permit x-connections from your localhost if you want to start an x program with a different user than the current session (in this case root) Simply execute 'xhost +localhost' before doing a su. I think that doing xhost local:root is better. There are 2 reasons for this: 1. You're specifying a user name, which gives added security if you've got a multi-user system. 2. You're specifying a local connection, not a connection that uses a network interface. The X server connections with use Unix sockets, not TCP sockets. This gives you less overhead since you don't have to send all your data through a TCP stack. noah ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOW5kTIdCcpBjGWoFAQGFjAP/V/dalkL6GK7O8Mwbgd//3GpLQLU7e5GG wPl9hHIZm8tjx1FOHlxtnpxHw8RREof1ttubhR1n2Rvs8UVXfHpqIf0V5nQf2FGA viuMT6NUtFfi2fcvq9607vc2nPPR8yqwe5aMFhVV3fj13PpIYRqxz0nnuH7NoU+F 3AN2DeTRBDo= =MEnf -END PGP SIGNATURE-