Re: [gdm-list] Why do GDM 2.22.0 set xauth file owner as login user

From: Brian Cameron <Brian Cameron Sun COM>
To: "simon zheng sun com" <Simon Zheng Sun COM>
Cc: gdm-list gnome org
Subject: Re: [gdm-list] Why do GDM 2.22.0 set xauth file owner as login user
Date: Thu, 22 May 2008 11:31:02 -0500


Simon:

To clarify, I was just surprised to realize that this area of GDM has
changed.  Reading section 3.3 of the GDM docs [1], the old directory
used 1770 permissions for the Xauth directory.  Its purpose was
only to give both the root and gdm user access to the Xauth key so
that GDM has permissions to display the GUI on the display.

Then I believe GDM calls the function gdm_auth_user_add to ensure
that the user's $HOME/.Xauthority file to contain the key.  It
seems better for GDM to honor the user's file rather than setting
XAUTHORITY to /var/run/gdm and then loosening permissions on this
directory.

It seems GDM should respect the user's $HOME/.Xauthority file if
it already exists rather than creating a new token.

Though this doesn't work perfectly in the existing GDM [2].

Brian

[1] http://www.gnome.org/projects/gdm/docs/2.20/security.html
[2] http://bugzilla.gnome.org/show_bug.cgi?id=171188

On Wed, 2008-05-21 at 14:14 -0400, Ray Strode wrote:

Hi,

Also, I
notice Fedora set as "01777". So "01777" is mandatory on GDM 2.22,
right?

Right, every X client needs read access to their associated cookie
file, and furthermore, need write access to /var/run/gdm for libXau
locking.
You could probably get away with 1773 without problems.


Talking with Brian, ï»¿he stated "normal users shouldn't be able to access
the /var/run/gdm directory. This is where GDM stores the Xauth keys so
that GDM can interact with any Xsession it starts if needed." If so,
"root:gdm" ownership and "1770" permissions is right.

On the other hand, X client xauth file is stored at "$HOME/.Xauthority
on old GDM. It could save each key for per-display. For example,

# /usr/openwin/bin/xauth -f /export/home/zheng/.Xauthority list
goalkeeper:0  MIT-MAGIC-COOKIE-1  ccf5f7e6dff8cbf8e6d5c1cfd4fedbc9
goalkeeper/unix:0  MIT-MAGIC-COOKIE-1  884828afe2aafe458dea03cf0d74d007
localhost.localdomain/unix:0  MIT-MAGIC-COOKIE-1
884828afe2aafe458dea03cf0d74d0

However, GDM 2.22.0 takes a new way, ï»¿a new xauth file is created ï»¿for
each time calling "AddUserAuthorization", There's always only one entry
in file. This might be difficult to support multiple displays. It would
be better if we could copy Xauth key to ï»¿"$HOME/.Xauthority" like old
GDM 2.20. Any idea?

-Simon

In additions, like "/tmp", "/var/run" will be cleaned and removed when
you reboot on Solaris. This is different from Linxu. We probably need to
created this dir once it doesn't exist.

Makes sense.  I don't think anyone would mind if you committed a patch
to do that.

--Ray
_______________________________________________
gdm-list mailing list
gdm-list gnome org
http://mail.gnome.org/mailman/listinfo/gdm-list



------------------------------------------------------------------------

_______________________________________________
gdm-list mailing list
gdm-list gnome org
http://mail.gnome.org/mailman/listinfo/gdm-list



--

Brian

Follow-Ups:
- Re: [gdm-list] Why do GDM 2.22.0 set xauth file owner as login user
  - From: Ray Strode

References:
- [gdm-list] Why do GDM 2.22.0 set xauth file owner as login user
  - From: simon zheng sun com
- Re: [gdm-list] Why do GDM 2.22.0 set xauth file owner as login user
  - From: Ray Strode
- Re: [gdm-list] Why do GDM 2.22.0 set xauth file owner as login user
  - From: simon zheng sun com
- Re: [gdm-list] Why do GDM 2.22.0 set xauth file owner as login user
  - From: Ray Strode
- Re: [gdm-list] Why do GDM 2.22.0 set xauth file owner as login user
  - From: simon zheng sun com

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]