On Jan 19, 07 00:17:11 -0500, Andy Harrison wrote:
On 1/18/07, Marc Wilson
wrote: On Thu, Jan 18, 2007 at 04:20:35PM -0500, Andy Harrison wrote:
xhost +SI:localuser:root
Can we avoid the rush and just shoot all the idiots who recommend xhost *now*?
What a helpful contribution to the thread. Do, post more wisdom.
In fact, there is a bit of truth in his words. xhost + is evil, it opens up your desktop for all(!) local users, and they can run everything on your desktop, including keyboard loggers, snapshot tools, etc. That said, your computer is probably not compromised, as it only opens it up for local users. Direct remote access to the Xserver has been baned some SUSE versions ago, exactly due to this "vulnerability" and due to the protocol not being encrypted at all.
It would be a vast assumption that since kdesu will work that sudo will work also. kdesu is starting the command with a completely different environment and xauth handling is not identical to launching from a shell prompt.
Right. I'm begging for working root authentication for sudo for a *long*
time now. That said, it's difficult to achieve in a generally secure way
due to PAM (authentication framework) design decisions.
If security is not of uttermost concern (i.e. you trust the users that
get sudo capabilities), remove "env_reset" in /etc/sudoers. That might
just be enough, because DISPLAY, XAUTHORITY, and HOME remain on the same
data. This won't help if your home is on NFS and exported with
root_squash (default), though :-P
HTH
Matthias
--
Matthias Hopf