Re: (forw) gksu security bug? (xauth visible to all users)

[Gustavo Noronha Silva]

Em Thu, 13 Nov 2003 10:15:27 +0100, address@hidden escreveu:

> Hi, i just sent the included email to the person listed in AUTHOR for the gksu
> package. After reading the security FAQ, I decided to forward this mail
> to the security team email address.

Indeed...

I tried to fix this same problem before by doing exactly what's being done
now, but I did not consider this problem you're bringing to my attention.

I'll find a way to fix the problem you're reporting as soon as possible
(maybe tonight).

I think, now, that the best way of handling this issue will be having
a simple setuid binary, so that I can create the .Xauthority file myself
and have it fix the permissions if the target user is not root, or something.

Still have to think about this.

Thanks,

Quoting the original email:

>  Hi.
>  I tried the 'gksu' program on my Debian box today, and noticed that 
>  if I do a "gksu synaptic" (for example), it seems other users can use
>  "ps axwwe | grep 'xauth add'" to find a process which runs like this:
> 
>  bash -c /usr/bin/env -u XAUTHORITY=/tmp/gksu-[random string]/.Xauthority 
> /usr/X11R6/bin/"xauth add :0 . "[hex string here]" >& /dev/nulll; 
> /usr/bin/env -u XAUTHORITY=/tmp/gksu-[random string]/.Xauthority synaptic
> 
>  It seems other users then can connect to the X server by simply setting 
> DISPLAY=:0 and running the xauth add command listed above.
> 
>  Is this a real issue, or have I missed something? I'm not 100% sure how the
>  xauth stuff is supposed to work.
> 
>  - Frode

-- 
address@hidden: Gustavo Noronha <http://people.debian.org/~kov>
Debian:  <http://www.debian.org>  *  <http://www.debian-br.org>
  "Não deixe para amanhã, o WML que você pode traduzir hoje!"
        http://debian-br.alioth.debian.org/?id=WebWML