69025 – X11 authentication fails with sudo

Bug 69025 - X11 authentication fails with sudo

Summary: X11 authentication fails with sudo

Keywords:
Status:	CLOSED DUPLICATE of bug 164671
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	sudo
Sub Component:
Version:	7.3
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Karel Zak
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-07-17 06:45 UTC by Marko Asplund
Modified:	2007-04-18 16:44 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-08-03 12:25:13 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marko Asplund 2002-07-17 06:45:30 UTC

From Bugzilla Helper:
User-Agent: Mozilla/4.79 [en] (X11; U; Linux 2.4.18-4 i686)

Description of problem:
some X11 applications like dateconfig fail to start when run with the sudo
command on a remote machine. when being logged on a remote machine
e.g. 'sudo dateconfig' command fails because of X11 authentication problems.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. log on remotely as a regular user to a machine using OpenSSH
2. run 'sudo dateconfig'
3.
	

Actual Results:  []$ sudo dateconfig
X11 connection rejected because of wrong authentication.
Gdk-ERROR **: X connection to localhost:21.0 broken (explicit kill or server
shutdown).

Expected Results:  dateconfig should have started.

Additional info:

'sudo /usr/share/dateconfig/dateconfig' as well as 'sudo netscape' still work.

after setting XAUTHORITY environment variable for the regular user 
in $HOME/.ssh/environment dateconfig works fine.

Comment 1 Tomas Mraz 2005-02-03 15:27:26 UTC

This has nothing to do with openssh. It's a sudo problem and probably
a WONTFIX as it's a security risk.

Comment 2 Jochen Wiedmann 2005-02-15 09:21:02 UTC

This is possibly a duplicate of Bug 61524 (or vice versa). In other
words: The problem is possibly the same with "su". I would also like
to ask, where you see a security risk? Without any explanation, I find
this hard to believe.

Comment 3 Tomas Mraz 2005-02-15 10:18:13 UTC

The security risk is that if you allow su from unprivileged user to
root user you basically give the unprivileged user full root access.
So there is no problem to allow him running X11 applications on his
display. 
The sudo on the other hand is different - most often you use it for
restricting the user to running exactly defined process (exact binary,
exact parameters...) with root privileges. However if such a process
is X11 application which uses user's display there is a high risk of
the binary being exploited through it's connection to the display
allowing the user getting full root access. Note that the code of Xlib
and X11 apps wasn't audited against this kind of attacks.
So for not exposing the system for such kind of attacks it's not
recommended to allow running x11 apps with sudo and sudo doesn't
support it anyway.
It is basically still possible to workaround this limitation of sudo
but I think this shouldn't be supported by default.

Comment 4 Karel Zak 2005-08-03 12:25:13 UTC


*** This bug has been marked as a duplicate of 164671 ***

Note You need to log in before you can comment on or make changes to this bug.