gas@cs.nott.ac.uk (Alan Shepherd) (04/08/91)
I asked this question first quite a while ago, but there was no response and since there has been some brief discussion of xdm recently, I thought I'd try again. Has anybody got xdm to work with authorization turned on ? I tried it and after some persistence eventaully got it to almost work. The only thing which failed was trying to use xterm (pretty important !). Every xterm, from any host including localhost, was refused connection even though other clients worked fine. Is this a problem with xterm or xdm ? If anyone has got it working, I'd be really pleased to hear from them. Thanks, Alan Shepherd
stripes@eng.umd.edu (Joshua Osborne) (04/23/91)
In article <1991Apr8.133632.16131@cs.nott.ac.uk>, gas@cs.nott.ac.uk (Alan Shepherd) writes: [...] > Has anybody got xdm to work with authorization turned on ? I tried it > and after some persistence eventaully got it to almost work. The only > thing which failed was trying to use xterm (pretty important !). > Every xterm, from any host including localhost, was refused connection > even though other clients worked fine. Is this a problem with xterm > or xdm ? If you have xterm set-uid root (or just plain set-uid) then it is xterm fault. xterm does the OpenDisplay before it switches euid back to the user who is running the program. This means it trys to read the .Xauthority file while it is still root. If the .Xauthority file is on a NFS mounted partition it is fairly likely that root is set up to map to nobody, that means the .Xauthority can not be read. I did a e<->r uid swap on both sides of the OpenDisplay and xterm worked again (well actully I ran without it setuid for months, then I went and did this). However for some reason this seems to add gid 0 (group wheel) to everyone's actiave group list! I havn't invtigated this yet (I did a scan for files that have access bits set for group and are group wheel, found none. We also use Kerberos so su doesn't care if you are a wheel or not). > If anyone has got it working, I'd be really pleased to hear from them. Whell, I'm not really doing much work on it right now, but hopefully these hints will get you a little firther along. -- stripes@eng.umd.edu "Security for Unix is like Josh_Osborne@Real_World,The Multitasking for MS-DOS" "The dyslexic porgramer" - Kevin Lockwood "CNN is the only nuclear capable news network..." - lbruck@eng.umd.edu (Lewis Bruck)