On Jan 19, 07 00:17:11 -0500, Andy Harrison wrote: > On 1/18/07, Marc Wilson <[EMAIL PROTECTED]> wrote: > >On Thu, Jan 18, 2007 at 04:20:35PM -0500, Andy Harrison wrote: > >> xhost +SI:localuser:root > > > >Can we avoid the rush and just shoot all the idiots who recommend xhost > >*now*? > > What a helpful contribution to the thread. Do, post more wisdom.
In fact, there is a bit of truth in his words. xhost + is evil, it opens up your desktop for all(!) local users, and they can run everything on your desktop, including keyboard loggers, snapshot tools, etc. That said, your computer is probably not compromised, as it only opens it up for local users. Direct remote access to the Xserver has been baned some SUSE versions ago, exactly due to this "vulnerability" and due to the protocol not being encrypted at all. > It would be a vast assumption that since kdesu will work that sudo > will work also. kdesu is starting the command with a completely > different environment and xauth handling is not identical to launching > from a shell prompt. Right. I'm begging for working root authentication for sudo for a *long* time now. That said, it's difficult to achieve in a generally secure way due to PAM (authentication framework) design decisions. If security is not of uttermost concern (i.e. you trust the users that get sudo capabilities), remove "env_reset" in /etc/sudoers. That might just be enough, because DISPLAY, XAUTHORITY, and HOME remain on the same data. This won't help if your home is on NFS and exported with root_squash (default), though :-P HTH Matthias -- Matthias Hopf <[EMAIL PROTECTED]> __ __ __ Maxfeldstr. 5 / 90409 Nuernberg (_ | | (_ |__ [EMAIL PROTECTED] Phone +49-911-74053-715 __) |_| __) |__ R & D www.mshopf.de -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
