xhost/xauth stuff: question

Hello,

I am having problems running a program with the (dangerous)
SET UID set (unfortunately I have to). I know that the
famous command "xhost +" fixes it. However, all I want
to do is, since janesprog is going to be running as
user jane, is to configure my system so that no
matter what, anyone can run janesprog without
getting the message below, without having to
configure any files in their home directory.

Alternatively, a more secure command than
xhost + to allow connections to the given
display ONLY by user jane (which is a
daemon anyways and does not exist as
a real user).

Thank you so much!!!

Neil

joe@dost $ ls -l /usr/bin/janesprog
-rwsr-xr-x 1 jane jane 10000000 Jan 01 01:01 /usr/bin/janesprog
joe@dost $ /usr/bin/janesprog
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified

janesprog: cannot connect to X server :0.0

Neil Zanella wrote:
> Alternatively, a more secure command than
> xhost + to allow connections to the given
> display ONLY by user jane (which is a
> daemon anyways and does not exist as
> a real user).

xhost +localhost should be at least more secure, you
can substitute localhost by the name of the machine
where your daemon is running.

To allow single users to use or not use the X system
I think you have to use NIS, but I'm not very sure of
that, so take my advise with caution.


--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

nzanella@cs.mun.ca (Neil Zanella) writes:

>I am having problems running a program with the (dangerous)
>SET UID set (unfortunately I have to). I know that the
>famous command "xhost +" fixes it. However, all I want
>to do is, since janesprog is going to be running as
>user jane, is to configure my system so that no
>matter what, anyone can run janesprog without
>getting the message below, without having to
>configure any files in their home directory.

Most likely, the problem is that, running as user "jane", the program
cannot read ".Xauthority" which it needs to connect to the display.

The solution:

The program should, at startup, do something like

realuid=getuid();
janesuid=geteuid();

seteuid(realuid);

It is now running as the real user, rather than as jane.

When it needs to do something as jane, it should

seteuid(janesuid);
/* do the stuff that need's jane */
seteuid(realuid);

>Alternatively, a more secure command than
>xhost + to allow connections to the given
>display ONLY by user jane (which is a
>daemon anyways and does not exist as
>a real user).

No, don't try that. What you want it to make sure that the process
is not running as jane when it make X connections.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (SunOS)

iD8DBQFBMMD7vmGe70vHPUMRAsR9AJ0ZCZIFiqC7qRT+4zX2YX 5bxL23owCfWvC9
GndMSDlxzpAJbile23O8wOs=
=d/R7
-----END PGP SIGNATURE-----

Neil W Rickert <rickert+nn@cs.niu.edu> wrote in message news:<cgqfdv$bf1$1@usenet.cso.niu.edu>...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> nzanella@cs.mun.ca (Neil Zanella) writes:
>
> >I am having problems running a program with the (dangerous)
> >SET UID set (unfortunately I have to). I know that the
> >famous command "xhost +" fixes it. However, all I want
> >to do is, since janesprog is going to be running as
> >user jane, is to configure my system so that no
> >matter what, anyone can run janesprog without
> >getting the message below, without having to
> >configure any files in their home directory.
>
> Most likely, the problem is that, running as user "jane", the program
> cannot read ".Xauthority" which it needs to connect to the display.
>
> The solution:
>
> The program should, at startup, do something like
>
> realuid=getuid();
> janesuid=geteuid();
>
> seteuid(realuid);
>
> It is now running as the real user, rather than as jane.
>
> When it needs to do something as jane, it should
>
> seteuid(janesuid);
> /* do the stuff that need's jane */
> seteuid(realuid);
>
> >Alternatively, a more secure command than
> >xhost + to allow connections to the given
> >display ONLY by user jane (which is a
> >daemon anyways and does not exist as
> >a real user).
>
> No, don't try that. What you want it to make sure that the process
> is not running as jane when it make X connections.

That's easier said than done. My process needs to be
user jane when it connects to the database server, and
it is a GUI application, with a database widget built
into the application framework. Since both need to be
done at the same time, I don't think your solution
works. Does anything work, besides "xhost +localhost"?
Can't I do something like "xhost +user@localhost"???

Thanks,

Neil

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

nzanella@cs.mun.ca (Neil Zanella) writes:
>Neil W Rickert <rickert+nn@cs.niu.edu> wrote in message news:<cgqfdv$bf1$1@usenet.cso.niu.edu>...
>> nzanella@cs.mun.ca (Neil Zanella) writes:

>> >I am having problems running a program with the (dangerous)
>> >SET UID set (unfortunately I have to). I know that the
>> >famous command "xhost +" fixes it. However, all I want
>> >[snip]

>> The solution:

>> The program should, at startup, do something like

>> realuid=getuid();
>> janesuid=geteuid();

>> seteuid(realuid);

[snip]

>That's easier said than done. My process needs to be
>user jane when it connects to the database server, and
>it is a GUI application, with a database widget built
>into the application framework.

Is the GUI part in the database server? How is it connecting
to the database server?

Another possibility:

seteuid(realuid);
run "xauth" to get the auth information for $DISPLAY, and
temporarily buffer that in memory.
seteuid(janesuid)
create a temporary file of mode 600
set XAUTHORITY to the path to your temporary file
run "xauth" to write that auth information into your
temp file

Now run the application.

At the end, unlink() the temporary file.

>Can't I do something like "xhost +user@localhost"???

You can do something like that on solaris if your users are
credentialled (using secure_rpc), and if they have are using
SUN-DES-1 authentication for X. But very few people actually do
that, so it is unlikely to be workable.

You might do better by having a procedure whereby your users
do

ssh -X jane@localhost

and the user shell for jane launches the application. That way
the X-forwarding in ssh can handle the display access.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (SunOS)

iD8DBQFBMgV7vmGe70vHPUMRAmWQAKDAY+UAlxeLxPvGvlrSgA WooeR7lgCeKGOY
46KBhXBlSX6gMLy3cXE424A=
=7Ksb
-----END PGP SIGNATURE-----

Neil W Rickert <rickert+nn@cs.niu.edu> wrote in message news:<cgqfdv$bf1$1@usenet.cso.niu.edu>...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> nzanella@cs.mun.ca (Neil Zanella) writes:
>
> >I am having problems running a program with the (dangerous)
> >SET UID set (unfortunately I have to). I know that the
> >famous command "xhost +" fixes it. However, all I want
> >to do is, since janesprog is going to be running as
> >user jane, is to configure my system so that no
> >matter what, anyone can run janesprog without
> >getting the message below, without having to
> >configure any files in their home directory.
>
> Most likely, the problem is that, running as user "jane", the program
> cannot read ".Xauthority" which it needs to connect to the display.
>
> The solution:
>
> The program should, at startup, do something like
>
> realuid=getuid();
> janesuid=geteuid();
>
> seteuid(realuid);

But I would like to solve this problem by simply modifying some
file on my system as root, either one located in jane's directory,
or some global one. I would like to do this in a way that minimizes
the extent to which the system is compromised. I do not know anything
about Xauthority files other than they exist. Is there a way I can
achieve the desired solution without having to modify the C code,
and at most, perhaps, run a shell script (cuase I need my code to
be portable and using getuid() and setuid9) is a little to POSIX
specific for the app. I am writing).

Thanks,

Neil