Re: errors when switching users (security hole?)

[Alexander Gottwald <alexander dot gottwald at s1999 dot tu-chemnitz dot de>]

On Tue, 24 Feb 2004, Kris Thielemans wrote:

> I was trying to use Windows XP's 'switch user' feature and get rather
> amazing results. Here is what I did
> 
> - logged in as account 1 (has admin privs), started XFree there (using
> startxwin.bat)
> - switched to another user ('limited privs'), started Xfree there (using
> startxwin.bat)
> 
> I get error messages relating to /tmp/.X11-unix (permission denied).
> If you check startxwin.bat, this is indeed a problem. Every user/session
> will use the same filename. my 2nd user does not have permission to mess
> around with the /tmp/.X11-unix created by the first user, so it has
> problems.
> 
> Maybe this can be fixed by using /tmp/$USER/.X11-unix or so. But maybe you
> do not want it to be fixed (see below).
> 
> 
> However, now comes the weird thing.
> I then switched back to account 1. And it has a new Xterm open, which seems
> to be owned by user 2 (that is 'id -un' reports user 2)! I did not really
> check if it has all relevant permissions and so on but it's pretty scary
> anyway!
> 
> Do you think user switching could be supported by XFree? (Don't worry if you
> say no. It's not a life-saving requirement for me!)

This is normal behaviour. X11 communication work either via TCP/IP where the 
xserver uses port 6000+display number or via unix domain sockets where the 
xserver uses the file /tmp/.X11-unix/X${display number}.

If you want to start another xserver as a different user you have to supply 
a screen number different from those of all started servers.

eg. if the first server was started with XWin -options then the second should
be started with XWin :1 -options

bye
	ago
-- 
 Alexander.Gottwald@s1999.tu-chemnitz.de 
 http://www.gotti.org           ICQ: 126018723
 Chemnitzer Linux-Tag 2004 - 6. und 7. März 2004
 http://www.tu-chemnitz.de/linux/tag