Hello Chris,
On Wed, Aug 08, 2018 at 08:58:24PM +0200, Chris Hofstaedtler wrote:
> * Helge Kreutzmann <deb...@helgefjell.de> [180808 18:57]:
> > On Tue, Aug 07, 2018 at 08:20:23PM +0100, Simon McVittie wrote:
> > > Andreas already asked for a merge request, so it seems that proposing a
> > > patch would indeed be welcome.
> > 
> > I'll do, incorporating your excellent explaination. I'll do so until
> > the end of the week (latest).
> 
> Gentle reminder about this.

Here you are:

--- ./su.1.orig 2017-09-27 11:05:13.717361420 +0200
+++ ./su.1      2018-08-09 21:04:24.370998117 +0200
@@ -261,6 +261,27 @@
 .RS
 .br
 session  required  pam_lastlog.so nowtmp
+.PP
+.RE
+Further by default 
+.B su
+does not allow the commands to access the current X display. To allow 
+graphical applications with the privileges of a different user 
+(called "otheruser" in this example) several
+options exists. These are, in order of preference (security-wise):
+.RS 10
+.TP
+o 
+Use a separate X display (e.g. "Switch User" in GNOME, or the equivalent 
fast-user-switching feature in other desktop environments), or a "thicker" 
remoting layer like VNC, Spice or Xpra.
+.TP
+o
+Use ssh, e.g. "ssh -X -oForwardX11Trusted=no otheruser@localhost".
+.TP
+o
+Allow \fBsu\fR explicit display access by issuing "xhost 
+si:localuser:otheruser" in 
+the originating X session and "DISPLAY=:0 command" under \fBsu\fR.
+This has serious security implications and hence should only be used in
+trusted environments.
 .RE
 .SH "SEE ALSO"
 .BR setpriv (1),

Feel free to update.

Greetings

           Helge
-- 
      Dr. Helge Kreutzmann                     deb...@helgefjell.de
           Dipl.-Phys.                   http://www.helgefjell.de/debian.php
        64bit GNU powered                     gpg signed mail preferred
           Help keep free software "libre": http://www.ffii.de/

Attachment: signature.asc
Description: Digital signature

Reply via email to