From owner-freebsd-questions@FreeBSD.ORG Sun Feb 6 00:33:44 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 681C716A4CE for ; Sun, 6 Feb 2005 00:33:44 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id BBA7543D1F for ; Sun, 6 Feb 2005 00:33:43 +0000 (GMT) (envelope-from gert.cuykens@gmail.com) Received: by rproxy.gmail.com with SMTP id f1so577571rne for ; Sat, 05 Feb 2005 16:33:43 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=Ku+ZxWIW/3FgPaaRM43f7Wa2DhtnTX+1nNFHCDNOfNAJGlP6k7oGnQ1bc4Fg40qzZADRAZcXfkH+VTrWpst36YGo6NPdRLP9blUFGAGy1xovG3WtNLOvnlqe/lTVW2Fx5fEtwvwQ/eH5Rnff2csW0PxGYX19Cfzf5s7FtN/+2+k= Received: by 10.38.152.36 with SMTP id z36mr60493rnd; Sat, 05 Feb 2005 16:33:32 -0800 (PST) Received: by 10.38.74.23 with HTTP; Sat, 5 Feb 2005 16:33:29 -0800 (PST) Message-ID: Date: Sun, 6 Feb 2005 01:33:29 +0100 From: Gert Cuykens To: "Loren M. Lang" In-Reply-To: <20050205064704.GH8619@alzatex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <20050202210526.GC77499@keyslapper.net> <42014E0A.5070003@mac.com> <20050203225835.GX8619@alzatex.com> <20050205064704.GH8619@alzatex.com> cc: freebsd-questions@freebsd.org Subject: Re: xhost +localhost X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Gert Cuykens List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Feb 2005 00:33:44 -0000 On Fri, 4 Feb 2005 22:47:04 -0800, Loren M. Lang wrote: > On Fri, Feb 04, 2005 at 12:21:34AM +0100, Gert Cuykens wrote: > > On Thu, 3 Feb 2005 14:58:35 -0800, Loren M. Lang wrote: > > > This enable all programs to have access that are using unix domain > > > sockets to not need the MIT-MAGIC-COOKIE stored in the .Xauthority file > > > in the users home directory so any user can open a program on that > > > display. xhost +localhost adds all programs from localhost using tcp > > > connections instead. DISPLAY=:0 causes a program to use fast unix > > > domain sockets where DISPLAY=localhost:0 causes a program to use slow > > > tcp sockets instead. tcp sockets are really only needed for remote > > > connections and xhost +localhost won't allow any local programs to > > > access X unless they use tcp, not unix. See my first response for more > > > information. > > > > ok time out :) > > 1)does xhost set the DISPLAY variable ? > > No, in fact, xhost needs the DISPLAY variable already set so that it > knows which display to try and connect to to change access control. > xhost needs some way to authenticate itself to the X server so X can > trust that it's a legit user trying to change the access control. If > you open up X to all local users by using something like xhost > +localhost or xhost local: then any local user could take over your > display and use xhost to disable your access to it. > > > 2)does xhost local: also uses the tcp thingie or use it the x socket thingie ? > > local: allows anyone to access the X server through unix domain sockets. > +localhost allows all local programs to access X though tcp sockets. > Normally tcp sockets are only used for remote connections since they are > slower than unix sockets, but unix sockets only work on the same > machine. > > > 3)what must i put in the .Xauthority file to make the screensaver work > > with having to use xhost ? > > When X first logs in to a user, it creates the .Xauthority file in that > users home directory and fills it with a random string called a > MIT-MAGIC-COOKIE. Any X client, by default, reads that file to see what > the cookie is then sends it to the X server to authenticate itself. > Anyone who can read that file can access the display so that file is > normally only readable by the user who logged in, though root can always > read it because root is god. When you run an X program as a different > user, it will look in that users home directory for the .Xauthority > file and so won't be able to find the right cookie unless you used the > xauth command to give that user the cookie ahead of time. By setting > the XAUTHORITY environment variable to some other file, it will check that > file for the magic cookie instead of the current users home directory. > This is useful when running a command as root that you want to access a > normal users X server. This is a much more secure way to allow access > to X than using xhost since you know what users are able to access X, > not just which computers, which may have multiple users on them. > > In summary, don't touch xhost, just use: > > XAUTHORITY=/home/user/.Xauthority xscreensaver > > or you can use xauth to extract the magic cookie and then import it into > the correct users .Xauthority file. As the user of the X server: > > xauth extract my-cookie-file $DISPLAY > > Saves the magic cookie to a file called my-cookie-file for the current > display. Then as the user who want to access the X display: > > xauth merge my-cookie-file > > Adds the cookie stored in my-cookie file to the current users > .Xauthority file. Now user B can open an X application on A's X server. > > Oh, and don't run xscreensaver as root EVER! Instead, if you're really > paranoid about security, make a user who can access any of your files > whose sole purpose is to run xscreensaver then use that user to run it. > This is still not that much more secure since any user that can access > an X server can essentially take it over and control your mouse and > keyboard doing what ever they want, like openning an xterm on your > display and running the passwd command to change your passwd. Now they > just gained access to all your files as well. > Thx this clears alot of questions :) One more question doh, about the x cookie. How long does it take to calculate the x cookie string yourself of a user you want to hack :)