Bug#63633: marked as done (xbase-clients: [xauth] should use getpwuid to find home dir)

Sun, 06 Mar 2011 06:12:21 -0800 

Your message dated Sun, 6 Mar 2011 15:09:33 +0100
with message-id <20110306140933.ga26...@debian.org>
and subject line Re: Bug#63633: Please close 63633 as invalid.
has caused the Debian Bug report #63633,
regarding xbase-clients: [xauth] should use getpwuid to find home dir
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
63633: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=63633
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: xbase-clients
Version: 3.3.6-6
Severity: normal

It appears that xauth uses the HOME variable to locate .Xauthority.
This causes unwanted behaviour when doing such:

$ xauth list :0
$ su
# xauth add <auth cookie>

Because now the .Xauthority file is owned by root.  Further more, the
.Xauthority-[cl] files (lock and ?) are not removed after xauth
terminated.

As a workaround, using "su -" works fine.  But I can't see any reason
why one would want to use $HOME for a security-related feature.

-- System Information
Debian Release: 2.2
Architecture: i386
Kernel: Linux bylbo 2.3.99-pre6 #1 ven avr 28 20:43:28 CEST 2000 i586

Versions of packages xbase-clients depends on:
ii  cpp                          1:2.95.2-10 The GNU C preprocessor.           
ii  libc6                        2.1.3-10    GNU C Library: Shared libraries an
ii  libncurses5                  5.0-6       Shared libraries for terminal hand
ii  xlib6g                       3.3.6-6     shared libraries required by X cli
ii  zlib1g [libz1]               1:1.1.3-5   compression library - runtime

--- End Message ---
--- Begin Message --- 
Bernhard R. Link <brl...@debian.org> (06/03/2011):
> .Xauthority is found in the user's home directory, so can only
> be get by HOME. Looking into the initial home dir will lead to
> wrong results most of the time. (And even reduce security by
> sending out information not intended to).

Yeah, came the NOTES section in getpwnam's manpage later in my bug
pinging session, and closed other such reports already. Closing that
one with this mail.

KiBi.

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply via email to