You are not logged in.
- Topics: Active | Unanswered
#1 2010-02-24 04:22:09
- PreachInsanity
- Member
- Registered: 2010-02-24
- Posts: 2
Help with XAUTHORITY enviroment variable
Short: I'm wondering if there is any way to define $XAUTHORITY with a relative path (ie $HOME/.Xauthority) so I can simultaneously launch a second user's apps within the first users X session (without using SSH or allowing anyone access to the X server).
Long: I created a second user that I want to be able to restrict access to networking and the files of my main user. So I copied user A's .Xauthority file to user B, set permissions, and set iptables to block all connections for B.
I then log in as user A, sudo su - B, and export the display. However, I can only run gui applications when $XAUTHORITY (specifies the location of the .Xauthority file) is set to /home/B/.Xauthority rather than /home/A/.Xauthority. This makes it so I can only spawn gui programs with one user or the other at a time (defeating the purpose of not just creating a completely new X session). Appending the paths together doesn't work (/home/A/.Xauthority:/home/B/.Xauthority). Deleteing the enviroment variable (env --unset=XAUTHORITY) should make xauth default to /home/user/.Xauthorirty but this doesn't work as the second it is deleted a new one is generated. Using SSH would decrease performance (encryption overhead). Allowing any client access works (xauth +) but is very, very insecure, defeating the entire purpose.
Hopefully this is as clear as mud 
.
Offline
#2 2010-02-24 22:57:35
- PirateJonno
- Forum Fellow
- From: New Zealand
- Registered: 2009-04-13
- Posts: 372
Re: Help with XAUTHORITY enviroment variable
I don't know much about Xauthority, but I did a similar thing with a new group rather than a user, which works seamlessly with X. I set a rule in iptables to block remote internet access for this group and use sg to launch programs under the right group. I'm not sure if you could block access to your files though. I mainly use my group for WINE so the untrusted programs won't have access outside the C: drive subdirectory anyway
"You can watch for your administrator to install the latest kernel with watch uname -r" - From the watch man page
Offline