Mailinglist Archive: opensuse (4631 mails)

< Previous Next >
Re: [opensuse] Getting error "cannot connect to X server" when using sudo to run a program
  • From: Matthias Hopf <mhopf@xxxxxxx>
  • Date: Wed, 24 Jan 2007 20:25:33 +0100
  • Message-id: <20070124192533.GB6272@xxxxxxx>
On Jan 19, 07 00:17:11 -0500, Andy Harrison wrote:
> On 1/18/07, Marc Wilson <msw@xxxxxxx> wrote:
> >On Thu, Jan 18, 2007 at 04:20:35PM -0500, Andy Harrison wrote:
> >> xhost +SI:localuser:root
> >
> >Can we avoid the rush and just shoot all the idiots who recommend xhost
> >*now*?
>
> What a helpful contribution to the thread. Do, post more wisdom.

In fact, there is a bit of truth in his words. xhost + is evil, it opens
up your desktop for all(!) local users, and they can run everything on
your desktop, including keyboard loggers, snapshot tools, etc.

That said, your computer is probably not compromised, as it only opens
it up for local users. Direct remote access to the Xserver has been
baned some SUSE versions ago, exactly due to this "vulnerability" and
due to the protocol not being encrypted at all.

> It would be a vast assumption that since kdesu will work that sudo
> will work also. kdesu is starting the command with a completely
> different environment and xauth handling is not identical to launching
> from a shell prompt.

Right. I'm begging for working root authentication for sudo for a *long*
time now. That said, it's difficult to achieve in a generally secure way
due to PAM (authentication framework) design decisions.

If security is not of uttermost concern (i.e. you trust the users that
get sudo capabilities), remove "env_reset" in /etc/sudoers. That might
just be enough, because DISPLAY, XAUTHORITY, and HOME remain on the same
data. This won't help if your home is on NFS and exported with
root_squash (default), though :-P

HTH

Matthias

--
Matthias Hopf <mhopf@xxxxxxx> __ __ __
Maxfeldstr. 5 / 90409 Nuernberg (_ | | (_ |__ mat@xxxxxxxxx
Phone +49-911-74053-715 __) |_| __) |__ R & D www.mshopf.de
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >