X11 Forwarding 102

Chris Gerhard wrote a post last week he called “X11 Forwarding 101” on using xauth to grant permissions to your X display when you su to root. I was all ready to write a response about how the complex steps he'd shown could be replaced by a simple, yet secure, command in Solaris 10 [1]:

xhost +si:localuser:root
but before I could, I got a mail from Casper asking why that feature wasn't working the same in Xsun as in Xorg. A few more e-mails exchanged and he had narrowed it down to it working with Xorg with all connection types, and Xsun with local TCP connections (“localhost:0”), but not with Xsun using Unix domain sockets (“unix:0”) or named pipes (“:0”)[2].

It turns out there was a bug in local connection type handling that I'd fixed when porting the localuser code from Xsun to Xorg for Xorg 6.8.0, but forgot to backport to Xsun. It was processing the list of hosts first, then exiting before checking the ServerInterpreted types so never saw the localuser type as allowable. I've filed this in Sun's bug database as 6380709 and am putting a fix into Nevada build 34.

Until that fix is out, I guess you'll have to stick with Chris' instructions for Xsun, unless you want to use the slower TCP transport for local connections, but if you are using Xorg on Solaris 10 or Nevada, you can try “xhost +si:localuser:username” when you want to grant another user on the same machine (in the same zone if on a multi-zone machine in Solaris 10) access to your display.


[1] Actually any OS with both Xorg 6.8.0 or later and support for a secure method of determining the identity of the user on the other end of a local connection, such as Solaris 10's getpeerucred or a similar interface such as getpeereid or SO_PEERCRED.

[2] At the level authentication is done, the shared memory transport in Solaris is treated as a named pipe connection, since that it how the connection is established.

[Technorati Tags: , , , ]

Comments:

Cool. How does it solve the problem for connections over ssh? How can I securely grant access to root on a remote host and have all the traffic go over the ssh tunnel?

Posted by Chris Gerhard on February 05, 2006 at 09:29 PM PST #

Post a Comment:
Comments are closed for this entry.
About

Engineer working on Oracle Solaris and with the X.Org open source community.

Disclaimer

The views expressed on this blog are my own and do not necessarily reflect the views of Oracle, the X.Org Foundation, or anyone else.

See Also
Follow me on twitter

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today