Default local auth policy

Matthias Hopf mhopf at suse.de
Fri Apr 3 07:08:07 PDT 2009 

On Mar 24, 09 02:10:19 +1100, Daniel Stone wrote:
> On Fri, Mar 20, 2009 at 04:36:22PM -0700, Eric Anholt wrote:
> > On Tue, 2009-03-17 at 14:06 -0400, Adam Jackson wrote:
> > > On Mon, 2009-03-16 at 12:52 -0700, Eric Anholt wrote:
> > > > On Fri, 2009-03-13 at 13:46 -0400, Adam Jackson wrote:
> > > > > Normally I'd just change the default here, but I think this might be a
> > > > > significant enough difference in behaviour that you should have to ask
> > > > > for it.  So.  New -localuser option?  Change the default?  Bad idea,
> > > > > give up, take up farming?
> > > > 
> > > > It sounds sensible, the only thing I'm concerned about is whether with
> > > > this new default I could sudo <X app> and still get success.
> > > 
> > > It's not particularly well specified, at least for
> > > getsockopt(SO_PEERCRED).  The Linux implementation appears to give you
> > > the effective UID, not real, so suid apps would fail.  I'm not sure what
> > > the other OS's implement offhand.
> > 
> > And sudo would fail as well?  That's extremely uncool.  Unless the plan
> > is to add +si:localuser:0 as well.
> 
> Yeah, good point.  sudo mangles both real and effective gid, so we don't
> really have a useful way to tell, so I guess you could just allow root
> per default.

Sounds reasonable, in principle. However, citing from the manual:

"If your system supports this method and you use it, be warned that some
programs that proxy connections and are setuid or setgid may get authenticated
as the uid or gid of the proxy process.  For instance, some versions of ssh
will be authenticated as the user root, no matter what user is running the ssh
client, so on systems with such software, adding access for localuser:root may
allow wider access than intended to the X display."

To me this reads as if we MUSTN'T add root as an allowed user, because
that MIGHT add a serious security leak. This specifically includes a
looged in user 'root', which means that the default wouldn't work in
this case :-(((

Matthias

-- 
Matthias Hopf <mhopf at suse.de>      __        __   __
Maxfeldstr. 5 / 90409 Nuernberg   (_   | |  (_   |__          mat at mshopf.de
Phone +49-911-74053-715           __)  |_|  __)  |__  R & D   www.mshopf.de

More information about the xorg-devel mailing list