[prev in list] [next in list] [prev in thread] [next in thread]
List: freedesktop-xorg-devel
Subject: Default local auth policy
From: daniel () fooishbar ! org (Daniel Stone)
Date: 2009-03-23 15:10:19
Message-ID: 20090323151019.GB16885 () fooishbar ! org
[Download RAW message or body]
Hi,
On Fri, Mar 20, 2009 at 04:36:22PM -0700, Eric Anholt wrote:
> On Tue, 2009-03-17 at 14:06 -0400, Adam Jackson wrote:
> > On Mon, 2009-03-16 at 12:52 -0700, Eric Anholt wrote:
> > > On Fri, 2009-03-13 at 13:46 -0400, Adam Jackson wrote:
> > > > Normally I'd just change the default here, but I think this might be a
> > > > significant enough difference in behaviour that you should have to ask
> > > > for it. So. New -localuser option? Change the default? Bad idea,
> > > > give up, take up farming?
> > >
> > > It sounds sensible, the only thing I'm concerned about is whether with
> > > this new default I could sudo <X app> and still get success.
> >
> > It's not particularly well specified, at least for
> > getsockopt(SO_PEERCRED). The Linux implementation appears to give you
> > the effective UID, not real, so suid apps would fail. I'm not sure what
> > the other OS's implement offhand.
>
> And sudo would fail as well? That's extremely uncool. Unless the plan
> is to add +si:localuser:0 as well.
Yeah, good point. sudo mangles both real and effective gid, so we don't
really have a useful way to tell, so I guess you could just allow root
per default.
Note that this still breaks when using sudo -H, which is arguably a very
sensible idea in the first place, unless you manually set $XAUTHORITY,
and it's not a regression from su -. But blaming the sudo developers
for this breaking seems a little pedantic.
Cheers,
Daniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.x.org/archives/xorg-devel/attachments/20090324/51f5c7dd/attachment.pgp
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic