Passing X credentials across su with localhost:displayno - SSH

This is a discussion on Passing X credentials across su with localhost:displayno - SSH ; Hi folks. I've been using $(hostname):displayno for a while now, and it works well, even across su, due to a python wrapper script I wrote that will save the relevant X credential in a user-readable-only file and give that file ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Passing X credentials across su with localhost:displayno

  1. Passing X credentials across su with localhost:displayno


    Hi folks.

    I've been using $(hostname):displayno for a while now, and it works well,
    even across su, due to a python wrapper script I wrote that will save the
    relevant X credential in a user-readable-only file and give that file to
    the target user (with a setuid C wrapper for the script itself to allow
    giving away files and a bash wrapper for the C wrapper for convenience
    features

    However, I'd like to do the same with localhost:displayno (with
    "X11UseLocalhost yes"), but the same technique does not appear work in
    this case. Why is that? Is there some sort of extra layer of
    verification going on with localhost:displayno relative to
    $(hostname):displayno that prevents other users from authenticating, even
    if they have the credentials (IE, the xauth cookie and same $DISPLAY).

    Thanks!

  2. Re: Passing X credentials across su with localhost:displayno

    On Wed, 24 May 2006 20:21:10 +0000, Dan Stromberg wrote:


    > Hi folks.
    >
    > I've been using $(hostname):displayno for a while now, and it works
    > well, even across su, due to a python wrapper script I wrote that will
    > save the relevant X credential in a user-readable-only file and give
    > that file to the target user (with a setuid C wrapper for the script
    > itself to allow giving away files and a bash wrapper for the C wrapper
    > for convenience features
    >
    > However, I'd like to do the same with localhost:displayno (with
    > "X11UseLocalhost yes"), but the same technique does not appear work in
    > this case. Why is that? Is there some sort of extra layer of
    > verification going on with localhost:displayno relative to
    > $(hostname):displayno that prevents other users from authenticating,
    > even if they have the credentials (IE, the xauth cookie and same
    > $DISPLAY).
    >
    > Thanks!


    I probably should be more specific.

    It's been a while since I looked at this, but I believe localhost:123 (for
    example) didn't show up in xauth's list of displays, so there was nothing
    to pass...


  3. Re: Passing X credentials across su with localhost:displayno

    On Thu, 25 May 2006 20:44:12 +0000, Dan Stromberg wrote:

    > On Wed, 24 May 2006 20:21:10 +0000, Dan Stromberg wrote:
    >
    >
    >> Hi folks.
    >>
    >> I've been using $(hostname):displayno for a while now, and it works
    >> well, even across su, due to a python wrapper script I wrote that will
    >> save the relevant X credential in a user-readable-only file and give
    >> that file to the target user (with a setuid C wrapper for the script
    >> itself to allow giving away files and a bash wrapper for the C wrapper
    >> for convenience features
    >>
    >> However, I'd like to do the same with localhost:displayno (with
    >> "X11UseLocalhost yes"), but the same technique does not appear work in
    >> this case. Why is that? Is there some sort of extra layer of
    >> verification going on with localhost:displayno relative to
    >> $(hostname):displayno that prevents other users from authenticating,
    >> even if they have the credentials (IE, the xauth cookie and same
    >> $DISPLAY).
    >>
    >> Thanks!

    >
    > I probably should be more specific.
    >
    > It's been a while since I looked at this, but I believe localhost:123 (for
    > example) didn't show up in xauth's list of displays, so there was nothing
    > to pass...


    It turned out that although "localhost" appears in the display name
    created by ssh, the relevant socket is not in the internet domain bound
    only to loopback. It's really a unix domain socket.

    So just deleting the "localhost" part from the display made things pretty
    simple to pass. I just wrote a setuid program that knew how to give away
    one's own X credentials to another user by writing them to a file in /tmp.

    Please note that this doesn't really make it any more possible for
    anyone but a very clumsy attacker to get your X authentication. If they
    have root on a system you're logging into, and you used -X or -Y, they
    pretty much can do what they want with it either way.

    I'm a little surprised no one started chanting "security through
    obscurity" on this issue.



+ Reply to Thread