Re: X11Forwarding, ssh -X, and /bin/su

From: Darren Dunham (ddunham_at_redwood.taos.com)
Date: 07/09/04 

Date: Thu, 08 Jul 2004 22:41:06 GMT

bad_knee <bl8n8r@yahoo.com> wrote:
>> > Password:
>> > # /usr/openwin/bin/xclock # this does not display
>> > X connection to server:11.0 broken (explicit kill or server shutdown).
>>
>> Hmm. Looks like display is set, and I don't see a permission error that
>> would point to a bad authority. Can you read the proper authority file
>> (often ~/.Xauthority)?

> After kludging around a bit, yeah, it looks like I have to export
> the DISPLAY variable again after su'ing. I thought this was the reason
> ssh used the X11Offset (:10.0)?

I don't see why. Your error message above looks like it's already set
to server:11.0.

> Anyway, I got it working doing and 'export DISPLAY=clientbox:0.0',
> but I'm not really tunneled using ssh then, am I ? I can see cleartext
> coming back to the clientbox on port 6000 (running snort).

Right. You're not using SSH at all with that traffic.

> I ran strace (gnu version) on xclock to see what was causing it to hurl,
> and it *was* barfing on .Xauthority of the user that su'd to root (I'm
> on solaris 9/sparc bash) -- permission denied.

> The user that su'd has the home directory mounted via NIS and root has
> *no* write access to those home directories except on the NIS server.
> If xclock is trying to write to .Xauthority it will fail, making the
> ssh tunnel fail as well??

More to the point, root probably doesn't have read access in this case,
so it doesn't have the key to send to the server.

> The Other option is to use /.Xauthority by doing an su - (login shell)
> instead of only su. This however requires exporting the DISPLAY to
> clientbox:0.0 and getting cleartext over port 6000, correct?

There are several options. One would be to use an authority file that
isn't on NFS. Copy the file to /tmp (with proper permissions), change
XAUTHORITY to point to it, and su. 

-- 
Darren Dunham                                           ddunham@taos.com
Senior Technical Consultant         TAOS            http://www.taos.com/
Got some Dr Pepper?                           San Francisco, CA bay area
         < This line left intentionally blank to confuse you. >

Relevant Pages

  • Re: X11Forwarding, ssh -X, and /bin/su
    ... and I don't see a permission error that ... the DISPLAY variable again after su'ing. ... but I'm not really tunneled using ssh then, ... ssh tunnel fail as well?? ...
    (comp.security.ssh)
  • Re: Commentary: The real danger in Darwin is not evolution, but
    ... standards of evidence and display it publically, no matter what the subject? ... institution which includes in its mission statement: ... as the supreme and final authority in faith and life. ...
    (talk.origins)
  • Re: Interactive Logon??????
    ... And - Does your boss have the appropriate authority to authorise you to ... home - If it's a company computer, then it's subject to the legal record ... >>It is possible to shut off the display of the last logged ...
    (microsoft.public.win2000.security)
  • Re: how to list LE options
    ... CEE3745I 13.03.12 DISPLAY CEEDOPT ... Also doesn't work if you don't have OPERATOR authority (like me and many ... message is not the intended recipient or an authorized representative of the ... communication is strictly prohibited. ...
    (bit.listserv.ibm-main)
  • Re: Using laptop monitor to replace BARCO monitor
    ... I have a system which connects to BARCO monitor CD651 as display ... have a spare BARCO monitor, can I use a laptop screen as a stand in? ... limitation is that I cannot add additional hardware or software to the ... you might want to mention to those who DO have authority that anything that is mission critical should have a strategy to deal with failures. ...
    (sci.electronics.repair)