Failed X11 authentication does the wrong thing
Nicolas Williams
Nicolas.Williams at ubsw.com
Sat Jul 28 07:25:40 EST 2001
On Fri, Jul 27, 2001 at 01:35:58PM -0500, Dave Dykstra wrote:
> On Thu, Jul 26, 2001 at 03:51:40PM -0400, Nicolas Williams wrote:
> > Ideally the X libs would support the same sort of concept as the
> > ssh-agent but for accessing X cookies.
> >
> > In fact, I'd really like to see an all-purpose agent along the lines of
> > ssh-agent, but not just for SSH keys: Kerberos ccaches, X cookies, NTLM
> > hashes (think about Samba's smbsh/smbwrapper) and so on.
>
>
> But ssh-agent suffers essentially the same problem when su-ing to other
> user ids: the inherited environment variable only points to a unix-domain
> socket that's accessible only by the original user and root. I was trying
> to think of a way of passing the authentication through when you su to
> another user.
Yes, but, if you're suing to root, then you're doing so locally, and
ssh-agent sockets are local, so root can access them. Yes, this breaks
if you're suing to some other user, but then you can play permissions
games with the agent's socket (it might be a useful feature to have a
way to get the agent to create new sockets).
If one could rely on open file descriptor inheritance (as much as one
can rely on environment variable inheritance) then things would be
easier, but, alas.
> - Dave Dykstra
Nico
--
.
Visit our website at http://www.ubswarburg.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.
More information about the openssh-unix-dev
mailing list