Server Interpreted "localuser" Authentication using SO_PEERCRED interferes with SSH
Alan Coopersmith
alan.coopersmith at oracle.com
Mon May 17 07:56:33 PDT 2010
Tavis Ormandy wrote:
> The problem is, if I'm using xhost +si:localuser:taviso, once the
> timeout has expired, X will fall back to SO_PEERCRED verification. As
> openssh opened the connection, the credentials check out and I'm
> authenticated. This is bad, because now the remote (possibly compromised)
> machine has a trusted X connection to my workstation.
You should not use +si:localuser:taviso unless you want every single process
running with that userid to be granted full access to your display.
> But it turns out this doesnt work with si:localuser authentication, as even
> though the cookie should be rejected, X falls back to peer credentials. I'm not
> sure this was intended, after I've tried to authenticate with an expired
> untrusted cookie, shouldn't the connection be rejected? Was this intended
> behaviour?
I don't think that's unique to the +si:local*, but any of the forms of
authentication that work will be used. I'd expect the same results if
you did xhost +local: or xhost +localhost (whichever covers the connection
type ssh is using to connect).
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Platform Engineering: X Window System
More information about the xorg-devel
mailing list