[OpenAFS] Re: significant delay for afs user to login as root via su

Andrew Deason adeason@sinenomine.net
Thu, 18 Mar 2010 11:46:30 -0500


On Thu, 18 Mar 2010 11:32:41 -0500
Andrew Deason <adeason@sinenomine.net> wrote:

> On Thu, 18 Mar 2010 09:21:13 -0700 (PDT)
> Booker Bense <bbense@slac.stanford.edu> wrote:
> 
> > You can do this with the current pam_env on linux based machines (
> > and solaris and OSX with some hacking... ).
> > 
> > XAUTHORITY      DEFAULT=/tmp/${\$}.Xauthority   OVERRIDE=/var/tmp/@{PAM_USER}.Xauthority
> > 
> > Basically, you can use anything in the current ENV to set new ENV
> > variables.
> 
> Correct me if I'm wrong, but this strikes me as insecure (depending on
> how xauth deals with symlinks, file permissions, and existing files; I'm
> not sure). What if someone creates those files with perms 0666? Or
> symlinks them to ~user/thesis.tex ?

...and if I actually bothered to try seeing what it does before saying
something, I'd see that xauth appears to be fine in that respect. The
worst another user can do is prevent xauth from working. Nevermind :)

-- 
Andrew Deason
adeason@sinenomine.net