Re: pam_xauth module and Debian's X
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ben Gertzfield <che@debian.org> writes:
> >>>>> "Sergey" == Sergey V Kovalyov <sqk0316@SCIRES.ACF.NYU.EDU> writes:
>
> Sergey> The second feature is pam_xauth module that is used to
> Sergey> pass xauth keys when duing su. Very convenient. Recall how
> Sergey> often we get questions about X connection refused after
> Sergey> su.
>
> I've asked in the past for this to be included, but every time I've
> been denied, and just told that you should set the XAUTHORITY
> environment variable when you su to root to the path of the
> .Xauthority file of the user who started X.
Scenario: The .Xauthority file is in a user's home directory which is
NFS mounted. The NFS filesystem is exported no_root_squash. So if the
permissions on .Xauthority are correct, then even root wont have access
to it.
It also doesn't work for the scenario where you're su'ing to another user
(for example to do news maintenance, I often 'sudo -u news -s'[0]).
What exactly is the security risk posed by pam_xauth? Or why is it a
nightmare?
[0] OK, so it's not su, but it's the same principal.
- --
Graeme.
graeme+sig@mathie.cx
"Life's not fair," I reply. "But the root password helps." - BOFH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.5
iD4DBQE5FCDzPjGH3lNt65URAoA0AJ9e/JubXxX4e+LmhzJWjjISV2RG9wCYvuhT
2u6jPvXuHa1YbuQhD8wIYA==
=ba3r
-----END PGP SIGNATURE-----
Reply to: