Server Interpreted "localuser" Authentication using SO_PEERCRED interferes with SSH

Alan Coopersmith alan.coopersmith at oracle.com
Mon May 17 07:56:33 PDT 2010


Tavis Ormandy wrote:
> The problem is, if I'm using xhost +si:localuser:taviso, once the
> timeout has expired, X will fall back to SO_PEERCRED verification. As
> openssh opened the connection, the credentials check out and I'm
> authenticated. This is bad, because now the remote (possibly compromised)
> machine has a trusted X connection to my workstation.

You should not use +si:localuser:taviso unless you want every single process
running with that userid to be granted full access to your display.

> But it turns out this doesnt work with si:localuser authentication, as even
> though the cookie should be rejected, X falls back to peer credentials. I'm not
> sure this was intended, after I've tried to authenticate with an expired
> untrusted cookie, shouldn't the connection be rejected? Was this intended
> behaviour?

I don't think that's unique to the +si:local*, but any of the forms of
authentication that work will be used.   I'd expect the same results if
you did xhost +local: or xhost +localhost (whichever covers the connection
type ssh is using to connect).

-- 
	-Alan Coopersmith-        alan.coopersmith at oracle.com
	 Oracle Solaris Platform Engineering: X Window System



More information about the xorg-devel mailing list