[K12OSN] More on terminal screen locking.... need help w/ xauth (what's up with /tmp/.gdm*)

Mon Feb 28 17:33:37 UTC 2005

On Mon, 2005-02-28 at 11:40 -0500, Henry Burroughs wrote:
> I'm close.  I've  figured out how to control the screens via root and
> doing a:
> 
> su - $USER -c "DISPLAY=<their display> xscreensaver-command -lock"
> 
> However, it depends on the user having a CURRENT .Xauthority file in
> their home directory.   However, the authority information is being
> stored and used in a file in /tmp (/tmp/.gdm* files) according to "xauth
> info".  Does anyone know why it is being created there? I  can copy the
> /tmp/.gdm?????? file corresponding to that user's authority file, and
> can achieve a screensaver lock (or start any other program on their
> display) via above, however logging the user out and back in does not
> make it use the new .Xauthority file (so it wouldnt' work on a different
> workstation).

GDM stores the users Xauthority file in tmp to avoid writing things in
home directories for a number of reasons, not the least of which is
security (think unencrypted network home directories).  There are a
number of ways to work around this if you are either root or the user
who owns the display. The easiest is to simply look for the pid of the
xscreensaver instance running as the target user and
use /proc/<pid>/environ to determine the xauth file to use.  That file
is a NULL-separated list of environment variables in use by the process.
Locking a specific display or only a specific user both require roughly
the same code, so I'll just include an shell script for 
locking all displays (where an xscreensaver process is running):

========================= CUT HERE =============================
#!/bin/sh

for pid in $(/sbin/pidof xscreensaver); do
    # do user name tests on /proc/${pid}/ for process ownership
    # if [ "$(stat -c '%U')" = "$USER" ]; then ...
    env $(tr '\000' '\n' < /proc/${pid}/environ | \
          egrep '^(DISPLAY|XAUTHORITY)=' | \
          tr '\n' ' ') \
        xscreensaver-command -lock
done

========================= CUT HERE =============================

The above sets up an ugly pipeline for extracting only the DISPLAY and
XAUTHORITY lines from /proc/${pid}/environ by converting nulls into line
feeds, grepping for lines beginning with DISPLAY or XAUTHORITY
converting line feeds into spaces and passing the result to the 'env'
command to execute 'xscreenaver-command -lock' in the correct
environment.

Note that the above fails if XAUTHORITY isn't set and you aren't running
as the user (XAUTHORITY defaults to $HOME/.Xauthority if unset).  It
also assumes that neither DISPLAY nor XAUTHORITY have any embedded
spaces.  With those caveats, enjoy.

> I think I'm  pretty close to getting a partial solution.  I'm trying to
> figure out xauth to some extent so I can avoid "xhost" at all costs. 
> I'll be sure to post to the wiki my solution.
> 
> Henry Burroughs
> Technology Director
> Hilton Head Preparatory School
> www.hhprep.org
> 

-- 
Shahms E. King <shahms at shahms.com>
Multnomah ESD

Public Key:
http://shahms.mesd.k12.or.us/~sking/shahms.asc
Fingerprint:
1612 054B CE92 8770 F1EA  AB1B FEAB 3636 45B2 D75B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/k12osn/attachments/20050228/e748347e/attachment.sig>