Very Computer

I've got a set uid application that my users execute & because the
invoked request is the set_uid_proc it does not match the user xauth
gui process. Therefore, tunneling fails during X-authentication; i.e.
broken pipe. I've tried to copy both ssh user & app user Xauth keys
onto ssh servers, but failure still occurs.

Quote:> NOTE: I also have the the sshd_config option StrictModes, set to yes.
> But Strictmodes in the ssh_config, one server set to no. Would this have
> an affect?

> To duplicate the error youself, make a copy of xclock binary & setuid it
> to something other than the uid invoking the ssh session.

> I've been trying to debug for quite sometime now so, any
> suggestions/help is appreciated.

> Going crazy,
> Jenn

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

But never checked perms...& it's only set to 600. So I will test the
following scenerio:set both ssh user & set_uid .Xauthority to 666,
then setenv XAUTHORIY to ssh_user $HOME/.Xauthority.

The only env variable I see set are SSH_CLIENT & SSH_TTY.

Thanks,
Jenn

Quote:> Yes, I tried once to manually setenv XAUTHORIY, after successful ssh
> login. Did not see an option to specify via cmd line login. Still
> unsuccessful. I also tried to copy the set-uid MIT cookie into my
> $HOME/.Xauthority & verified it does read from my $HOME.

> But never checked perms...& it's only set to 600.

Quote:> So I will test the following scenerio:set both ssh user & set_uid
> .Xauthority to 666, then setenv XAUTHORIY to ssh_user
> $HOME/.Xauthority.

In a setuid X application (which is IMHO a bad idea in itself - most X
widget sets are far too complex to be trusted for setuid stuff) you
should temporarily switch euid to the ruid for opening the display, then
switch back to the original euid. Anything else won't work on a
(correctly configured) local display either - this doesn't have anything
to do with SSH.

A much better way is to put the stuff which has to be setuid in a small
program of its own and make the X application simply a frontend for it.

        hp

--
   _  | Peter J. Holzer    | Schlagfertigkeit ist das, was einem
|_|_) | Sysadmin WSR       | auf dem Nachhauseweg einf?llt.

__/   | http://www.hjp.at/ |

What security implications do I need to be concerned with by opening
group read, if any? What can someone do w/the MIT_COOKIE or auth list
output? What data is actually encyrpted in this key when it's
generated by xdm?

Jenn

--

Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.