Bug 69025
| Summary: | X11 authentication fails with sudo | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Marko Asplund <marko.asplund> |
| Component: | sudo | Assignee: | Karel Zak <kzak> |
| Status: | CLOSED DUPLICATE | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | CC: | tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-08-03 12:25:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Marko Asplund
2002-07-17 06:45:30 UTC
This has nothing to do with openssh. It's a sudo problem and probably a WONTFIX as it's a security risk. This is possibly a duplicate of Bug 61524 (or vice versa). In other words: The problem is possibly the same with "su". I would also like to ask, where you see a security risk? Without any explanation, I find this hard to believe. The security risk is that if you allow su from unprivileged user to root user you basically give the unprivileged user full root access. So there is no problem to allow him running X11 applications on his display. The sudo on the other hand is different - most often you use it for restricting the user to running exactly defined process (exact binary, exact parameters...) with root privileges. However if such a process is X11 application which uses user's display there is a high risk of the binary being exploited through it's connection to the display allowing the user getting full root access. Note that the code of Xlib and X11 apps wasn't audited against this kind of attacks. So for not exposing the system for such kind of attacks it's not recommended to allow running x11 apps with sudo and sudo doesn't support it anyway. It is basically still possible to workaround this limitation of sudo but I think this shouldn't be supported by default. |