[Bug 2440] New: X11 connection will fail if user's home directory is read-only

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Aug 6 07:56:26 AEST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2440

            Bug ID: 2440
           Summary: X11 connection will fail if user's home directory is
                    read-only
           Product: Portable OpenSSH
           Version: 6.8p1
          Hardware: Sparc
                OS: Solaris
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: huieying.lee at oracle.com

Created attachment 2680
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2680&action=edit
This patch is to change the location of the XAUTHORITY file from
~/.Xauthority to  per session Xauh file in /tmp directory

If a user's home directory is read-only, then X11 connection will be
rejected because of wrong authentication.  For example, 

    $ssh  -l hylee_local a-server          
    Password: 
    Last login: Wed Aug  5 14:09:42 2015 from 10.132.148.106
    /usr/bin/xauth:  timeout in locking authority file
/export/home/hylee_local/.Xauthority

    hylee_local$/usr/bin/xemacs /tmp/junk
    X11 connection rejected because of wrong authentication.
    ...

The root cause of the problem is because the xauth program (invoked by
sshd) couldn't lock the non-writable the ~/.Xauthority file.

This is a serious problem on Solaris, because a writable home directory 
isn't always available for root in an immutable zone.

We have resolved this problem by changing sshd to use a distinct
temporary X authority file for each session.  This temporary Xauthority
file will be stored in the /tmp directory and it will be removed when
the session is closed.

Attached is our bug-fix patch file, which applies to OpenSSH6.8p1.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list