[H-GEN] root running x programs in Debian

Wed Aug 20 04:43:20 EDT 2003

Hello,

Nick Kwiatkowski <nickolas at au1.ibm.com>
Sent by: Majordomo <majordom at caliburn.humbug.org.au>
20/08/2003 05:38 PM
Please respond to general

        To:     general at lists.humbug.org.au
        cc: 
        Subject:        Re: [H-GEN] root running x programs in Debian
Anthony Irwin wrote,
> > I wanted to look at visual apt tools to see if it would make using 
Debian
> > easier for Windows users. I have install synamtic and gnome-apt, both 
of
> > these programs ask for a root password then exit with status code 1.

I've just installed gnome-apt 0.4.4-1 on my machine, and I'm a little 
confused. I've tried fiddling around a little while logged in under my 
user account and haven't been able to get it to prompt me for a password 
at all. Perhaps you're working with a more advanced version.

Anyway, it should (theoretically) just work. If it's setuid root, and asks 
you for the root password as it starts up it should have inherited your 
user environment. The root-owned program should inherit your XAUTHORITY 
and DISPLAY variable (perhaps you just need to set them both before 
starting the program). It should then access your .Xauthority file and 
present the appropriate cookie to the display. I presume you are running 
the program directly as a user?

> 1) set DISPLAY for root ie "DISPLAY=localhost:0.0"
> 2) and executed "xhost localhost"

Using xhost in this manner is not recommended practice as it opens up your 
display to all users on the local machine. If you're sure you're the only 
person logged into the machine then it may be ok at a temporary measure 
while you're trying to fix something else, but you're much better off 
finding an alternative:

Remember: 
_If_someone_has_access_to_your_X_server_they_can_see_your_keystrokes!_
If you allow access for user x to your display you are asking them to 
capture your passwords as you type them.

Sandra's suggestion is a good one and is based around the .Xauthority 
files that each application uses to gain access to your display if you've 
logged in using xdm or some equivalent.

Security in X is based around cookies. When you log in a large random 
number is chosen for you. Any application that tries to connect to your 
X-server must be able to present that large random number in order to gain 
access. While xhost +xxx circumvents this measure it is almost always 
better to make use of it.

Sandra's link essentially says to set the XAUTHORITY environment variable 
to that it points the the file that contains the appropriate long random 
number to access your display. So long as root has the DISPLAY variable 
set to something compatable with the .Xauthority entry it will be able to 
find the correct number to present to the X server.

An alternative way is to use xauth to list and copy keys, eg
$ xauth list
localhost:0 MIT-MAGIC-COOKIE-1 123498175612372314
$ su
Password:
# DISPLAY=localhost:0; export DISPLAY
# xauth add localhost:0 MIT-MAGIC-COOKIE-1 123498175612372314
If you do this then every root-owned application will be able to access 
your display, so long as DISPLAY is set appropriately.

Another alternative is to use ssh X-tunneling. Just ssh to the local 
machine:
$ ssh localhost -l root (you may have to specify +x)

This sets up a proxy X server with separate authority tokens that root 
actually owns but which tunnels data onto your main X server display.

Coming up with other approaches is left as an excersise for the reader.

Benjamin.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.humbug.org.au/pipermail/general/attachments/20030820/bbb5d99c/attachment.html>