Hello Chris, On Wed, Aug 08, 2018 at 08:58:24PM +0200, Chris Hofstaedtler wrote: > * Helge Kreutzmann <[email protected]> [180808 18:57]: > > On Tue, Aug 07, 2018 at 08:20:23PM +0100, Simon McVittie wrote: > > > Andreas already asked for a merge request, so it seems that proposing a > > > patch would indeed be welcome. > > > > I'll do, incorporating your excellent explaination. I'll do so until > > the end of the week (latest). > > Gentle reminder about this.
Here you are:
--- ./su.1.orig 2017-09-27 11:05:13.717361420 +0200
+++ ./su.1 2018-08-09 21:04:24.370998117 +0200
@@ -261,6 +261,27 @@
.RS
.br
session required pam_lastlog.so nowtmp
+.PP
+.RE
+Further by default
+.B su
+does not allow the commands to access the current X display. To allow
+graphical applications with the privileges of a different user
+(called "otheruser" in this example) several
+options exists. These are, in order of preference (security-wise):
+.RS 10
+.TP
+o
+Use a separate X display (e.g. "Switch User" in GNOME, or the equivalent
fast-user-switching feature in other desktop environments), or a "thicker"
remoting layer like VNC, Spice or Xpra.
+.TP
+o
+Use ssh, e.g. "ssh -X -oForwardX11Trusted=no otheruser@localhost".
+.TP
+o
+Allow \fBsu\fR explicit display access by issuing "xhost
+si:localuser:otheruser" in
+the originating X session and "DISPLAY=:0 command" under \fBsu\fR.
+This has serious security implications and hence should only be used in
+trusted environments.
.RE
.SH "SEE ALSO"
.BR setpriv (1),
Feel free to update.
Greetings
Helge
--
Dr. Helge Kreutzmann [email protected]
Dipl.-Phys. http://www.helgefjell.de/debian.php
64bit GNU powered gpg signed mail preferred
Help keep free software "libre": http://www.ffii.de/
signature.asc
Description: Digital signature
