Re: how does root run a graphical prog
on Mon, May 20, 2002, Vineet Kumar ([EMAIL PROTECTED]) wrote: > * Dave Sherohman ([EMAIL PROTECTED]) [020520 10:49]: > > On Mon, May 20, 2002 at 06:39:22PM +0200, Kristian Rink wrote: > > > Something like 'xhost +' basically should > > > allow anyone (on your system) to connect to X hence to display any > > > graphical output. > > > > Bzzt! 'xhost +' allows anyone (on any system capable of contacting > > your system) to connect to X and display any graphical output. Not > > good... > > > > If you MUST use xhost, use 'xhost + localhost'. But using xauth or > > XAUTHORITY is the Right Way To Do It. > > Thanks Dave! You just pointed out one of the many, many, MANY reasons to > NEVER USE xhost. The reason you just illustrated: "When you might want > to do 'xhost +localhost', you might accidentally enter > 'xhost + localhost', which has the same as effect as 'xhost +'. > > Even if you DID get it "right", 'xhost +localhost' allows anyone on > localhost to connect to your X server. Probably not what you want, > especially on a system with many users, or any system with any users you > don't fully trust (probably every system). > > It's worth noting that the danger isn't just that anyone can display > apps on your display. In addition to being able to open windows on your > display, anyone else would be able to destroy any (or all) of > your windows, view the contents of your screen remotely, log your > keystrokes, or generate /any/ X event. > > This horse has been beaten to death. Search google and you'll probably > come up with a kmself rant (TM) about why xhost is bad, along with info > from plenty of other enlightened individuals. http://www.google.com/search?hl=en&q=karsten+self+xauth+merge ...and hit "I'm feeling lucky". Peace. -- Karsten M. Self <[EMAIL PROTECTED]>http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Hollings: bought, paid for, but couldn't deliver the CBDTPA: http://www.politechbot.com/docs/cbdtpa/hollings.s2048.032102.html msg08343/pgp0.pgp Description: PGP signature
Re: how does root run a graphical prog
On Mon, May 20, 2002 at 11:29:14AM -0700, Vineet Kumar wrote: > * Dave Sherohman ([EMAIL PROTECTED]) [020520 10:49]: > > If you MUST use xhost, use 'xhost + localhost'. But using xauth or > > XAUTHORITY is the Right Way To Do It. > > Thanks Dave! You just pointed out one of the many, many, MANY reasons to > NEVER USE xhost. The reason you just illustrated: "When you might want > to do 'xhost +localhost', you might accidentally enter > 'xhost + localhost', which has the same as effect as 'xhost +'. ...as well as one of the many, many, MANY reasons for not correcting other people on the use of a tool you never use yourself... -- When we reduce our own liberties to stop terrorism, the terrorists have already won. - reverius Innocence is no protection when governments go bad. - Tom Swiss -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject "unsubscribe". Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: how does root run a graphical prog
On Mon, May 20, 2002 at 08:10:10PM +0100, Frank Zimmermann wrote: > On Mon, May 20, 2002 at 11:29:14AM -0700, Vineet Kumar wrote: ... > > Use su and read the originating user's ~/.Xauthority, or use ssh's X > > forwarding. > > > > On my Debian system root can automatically run X-Apps (after an su). I was > wondering why but haven't figurerd it out yet. It's not what I was used to > before. I think you did `su', not `su -'. A mere `su' merely changes your identity, but the environment stays the same. In particular $HOME. So when you launce an X-appl, the authorisation cookie is read from /home/other-user/.Xauthority, and you really being root and allowed to read anything this works. A `su -' on the other hand behaves like you logon, so $HOME now points to root's home dir and X tries to read /root/.Xauthority. Unless you've merged in the .Xauthority from the user you su-ed from this will fail. Simply running `xauth merge /home/other-user/.Xauthority' fixes this for as long as the X-cookie of that other user doesn't chance. -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject "unsubscribe". Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: how does root run a graphical prog
On Mon, May 20, 2002 at 11:29:14AM -0700, Vineet Kumar wrote: > * Dave Sherohman ([EMAIL PROTECTED]) [020520 10:49]: > > On Mon, May 20, 2002 at 06:39:22PM +0200, Kristian Rink wrote: > > > > Thankfully, debian's X config has by default an option (and I won't tell > you which if you don't know, because you shouldn't remove it) that > disables the X server from listening for and accepting incoming tcp > connections, so 'xhost +' won't hurt you as much as it should. > > Use su and read the originating user's ~/.Xauthority, or use ssh's X > forwarding. > On my Debian system root can automatically run X-Apps (after an su). I was wondering why but haven't figurerd it out yet. It's not what I was used to before. Frank -- Dr. Frank Zimmermann| registered Linux user 133450 23, Sandon Road | web: http://www.ds10.uklinux.net Birmingham B17 8DR | e-mail: [EMAIL PROTECTED] UK | tel: 0044-121-429 1746 -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject "unsubscribe". Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: how does root run a graphical prog
* Dave Sherohman ([EMAIL PROTECTED]) [020520 10:49]: > On Mon, May 20, 2002 at 06:39:22PM +0200, Kristian Rink wrote: > > Something like 'xhost +' basically should > > allow anyone (on your system) to connect to X hence to display any > > graphical output. > > Bzzt! 'xhost +' allows anyone (on any system capable of contacting > your system) to connect to X and display any graphical output. Not > good... > > If you MUST use xhost, use 'xhost + localhost'. But using xauth or > XAUTHORITY is the Right Way To Do It. Thanks Dave! You just pointed out one of the many, many, MANY reasons to NEVER USE xhost. The reason you just illustrated: "When you might want to do 'xhost +localhost', you might accidentally enter 'xhost + localhost', which has the same as effect as 'xhost +'. Even if you DID get it "right", 'xhost +localhost' allows anyone on localhost to connect to your X server. Probably not what you want, especially on a system with many users, or any system with any users you don't fully trust (probably every system). It's worth noting that the danger isn't just that anyone can display apps on your display. In addition to being able to open windows on your display, anyone else would be able to destroy any (or all) of your windows, view the contents of your screen remotely, log your keystrokes, or generate /any/ X event. This horse has been beaten to death. Search google and you'll probably come up with a kmself rant (TM) about why xhost is bad, along with info from plenty of other enlightened individuals. Thankfully, debian's X config has by default an option (and I won't tell you which if you don't know, because you shouldn't remove it) that disables the X server from listening for and accepting incoming tcp connections, so 'xhost +' won't hurt you as much as it should. Use su and read the originating user's ~/.Xauthority, or use ssh's X forwarding. > -- > When we reduce our own liberties to stop terrorism, the terrorists > have already won. - reverius Word. (and "too late.") good times, Vineet -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume.shtml msg08253/pgp0.pgp Description: PGP signature
Re: how does root run a graphical prog
On Mon, May 20, 2002 at 06:39:22PM +0200, Kristian Rink wrote: > Something like 'xhost +' basically should > allow anyone (on your system) to connect to X hence to display any > graphical output. Bzzt! 'xhost +' allows anyone (on any system capable of contacting your system) to connect to X and display any graphical output. Not good... If you MUST use xhost, use 'xhost + localhost'. But using xauth or XAUTHORITY is the Right Way To Do It. -- When we reduce our own liberties to stop terrorism, the terrorists have already won. - reverius Innocence is no protection when governments go bad. - Tom Swiss -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject "unsubscribe". Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: how does root run a graphical prog
On Mon, May 20, 2002 at 06:39:22PM +0200, Kristian Rink wrote: > On Mon, May 20, 2002 at 11:45:31PM +0700, Willy S wrote: > > > > Xlib: connection to ":0.0" refused by server Ähem... sorry, Leute, falsche Liste... bitte ignorieren. *schäm* Kris -- Savour what you feel and { Kristian Rink what you see - things that { irc:: irc.sorcery.net (kristian) may not seem important now { fon:: ++49 160 92526188 but may be tomorrow... { fax:: ++49 1212 5 119 57 762 -Chuck Schuldiner (1967 - 2001) .. gone but not forgotten- -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject "unsubscribe". Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: how does root run a graphical prog
On Mon, May 20, 2002 at 11:45:31PM +0700, Willy S wrote: > > Xlib: connection to ":0.0" refused by server > Xlib: Client is not authorized to connect to Server X requires you to have permissions to access the running X server to display any output on your screen. Usually (on well-configured systems), this is supposed to be restricted to the user that is actually running the current X session, IIRC. Something like 'xhost +' basically should allow anyone (on your system) to connect to X hence to display any graphical output. For more fine-grained xhost access configuration, "man 1 xhost" is your friend. Cheers, Kris -- Savour what you feel and { Kristian Rink what you see - things that { irc:: irc.sorcery.net (kristian) may not seem important now { fon:: ++49 160 92526188 but may be tomorrow... { fax:: ++49 1212 5 119 57 762 -Chuck Schuldiner (1967 - 2001) .. gone but not forgotten- -- Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject "unsubscribe". Probleme? Mail an [EMAIL PROTECTED] (engl)