xauth: needs cookie handling warnings in man page
Jamey Sharp
jamey at minilop.net
Sun Jul 24 10:20:18 PDT 2011
Reviewed-by: Jamey Sharp <jamey at minilop.net>
but there are a few things I'd quibble about. First, of course, the
debian/changelog hunk doesn't go upstream. :-) A patch to the upstream
repo in git-format-patch format would be easier to apply; see
http://wiki.x.org/wiki/Development/Documentation/SubmittingPatches
On Fri, Jul 22, 2011 at 11:18:35PM -0400, Michael Gilbert wrote:
> --- xauth-1.0.6.orig/man/xauth.man
> +++ xauth-1.0.6/man/xauth.man
> @@ -90,6 +90,10 @@
> A protocol name consisting of just a
> single period is treated as an abbreviation for \fIMIT-MAGIC-COOKIE-1\fP.
>
> +WARNING: This usage is considered insecure since the secret magic cookie
> +will be displayed in command histories and for example the output of ps.
> +One should use the "merge" command (as described below) instead. Pay
> +attention to it's warning as well.
s/it's/its/
The "add" command is fine when used interactively, surely? This warning
only applies to passing a subcommand as command-line arguments to xauth?
> .TP 8
> .B "generate \fIdisplayname protocolname\fP \fR[\fPtrusted|untrusted\fR]\fP"
> .B \fR[\fPtimeout \fIseconds\fP\fR]\fP \fR[\fPgroup \fIgroup-id\fP\fR]\fP \fR[\fBdata \fIhexdata\fR]
> @@ -155,6 +159,11 @@
> the \fInmerge\fP command is used, the numeric format given in the description
> of the \fIextract\fP command is used. If a filename consists of just a single
> dash, the standard input will be read if it hasn't been read before.
> +
> +WARNING: Be careful with the single dash version as depending on the
> +command chain (for example a combination using sudo), the secret key
> +could be exposed to prying eyes in command histories and for example
> +in the output of ps.
> .TP 8
> .B "remove \fIdisplayname\fR..."
> Authorization entries matching the specified displays are removed from the
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.x.org/archives/xorg-devel/attachments/20110724/7c67010a/attachment.pgp>
More information about the xorg-devel
mailing list