Failed X11 authentication does the wrong thing
Darren Moffat
Darren.Moffat at eng.sun.com
Sat Jul 28 05:04:01 EST 2001
>I meant to say that any X access using xauth, including what OpenSSH does
>for X forwarding, has the limitation. If you're using plain old xhost
>authentication (abhorrent though it is) you don't have the same problem.
Agreed.
>> Which is why people should use RBAC systems rather than su to root ;-)
>> (Actually it really needs to be RBAC plus fine grained privilege).
>
>Forgive my ignorance, but what's RBAC? I guess "something something Access
>Control".
Sorry, Role Based Access Control.
sudo is kind of a form of RBAC.
>in this discussion. Does your PAM module only copy the cookies when su-ing
>to root?
Yep.
>If you're su-ing to root anyway, perhaps all you need to do is set
>$XAUTHORITY to point to the original user's $HOME/.Xauthority. Oh, I see,
>when you're going over NFS, access by the root user id is usually
>disallowed. Was that the main purpose for your PAM module?
Exactly. (The case I wrote it for was even more restrictive since it
was NFS over Secure RPC).
Which was the same as the case demonstrated in the orginal email, hence
my mentioning of it.
--
Darren J Moffat
More information about the openssh-unix-dev
mailing list