Authentication and SU

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Fri Apr 2 15:50:14 UTC 2004 

Am Fr, den 02.04.2004 schrieb Pepebuho um 01:39:

> Hi.
> I noticed that each time that I execute su and then gedit I get the
> following warning:
> (gedit:2378): GnomeUI-WARNING **: While connecting to session manager:
> Authentication Rejected, reason : None of the authentication protocols
> specified are supported and host-based authentication failed.
> Surfing Google i found the attached solution by Bruce Wolk, nevertheless
> I wonder why does it work. In fact why do we need it at all?
> I am not that good yet with scripts (I am newbie) but it looks
> like it is executing gedit on an new shell session where the contents
> of the current XUAUTHORITY were taken from root's .Xauthority.
> Is it safe? And if that variable is important, why is it not changed
> authomatically when I execute su?
> Also, I was checking for .Xauthority on my root directory and I saw not one
> xauthority but several files starting with .xauth
> Thaks!
> Javier

1) su is in many cases suboptimal as it switches not to a root login
shell but only to a root shell, see "man su" for - or -l. Better use "su
-" to get the whole environment for root.

2) root can do nearly everything and therefor "stealing" a user's
.Xauthority is possible for root. That leads to the next question ...

3) .Xauthority is the authority token file of the user running the X
session and in his ~, see "man Xsecurity". See also "man mcookie" for
generating an authority token.

4) A different method would be to let the user running X allow connects
from everyone on localhost with "xhost +localhost" in i.e. ~/.xinitrc.
root might set the $DISPLAY in his /root/.xinitrc.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 1 (Yarrow) on Athlon CPU kernel 2.4.22-1.2174.nptl
Sirendipity 17:35:15 up 14 days, 1:17, load average: 0.07, 0.13, 0.08 
                   [ Γνωθι σ'αυτον - gnothi seauton ]
             my life is a planetarium - and you are the stars
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040402/0d0a5257/attachment-0001.sig>

More information about the fedora-list mailing list