Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

SGI security Frequently Asked Questions (FAQ)
Section - -6- How can I get X authorization to work?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Sex offenders ]


Top Document: SGI security Frequently Asked Questions (FAQ)
Previous Document: -5- How can I make an anonymous or restricted FTP account?
Next Document: -7- What security-related bugs does IRIX have?
See reader questions & answers on this topic! - Help others by sharing your knowledge

  Under IRIX 5.1.x or earlier, don't try. The MIT-MAGIC-COOKIE-1
  protocol did not work, and DGL programs did not understand X
  authorization.

  Under IRIX 5.2, heed the wise words of Mark Kilgard of SGI's
  X Window Systems group <mjk@hoot.asd.sgi.com>:

  The basic mechanism for the MIT-MAGIC-COOKIE-1 authorization protocol
  is implemented by the X server, Xlib, and xdm, and does work in IRIX
  5.x.  MIT-MAGIC-COOKIE-1 is the only supported protocol.

  Two caveats before I describe how to enable X authorization:

  1) Old remote IRIS GL programs probably will not be able to connect to
     the X server when X authorization is enabled. (More on this below.)

  2) Due to a problem with how the local hostname is handled, to use X
     authorization in the IRIX 5.x releases, you will need to make sure
     your /etc/sys_id file has a simple hostname, ie. hoot instead of a
     fully resolved hostname like hoot.asd.sgi.com  This problem has
     already been fixed for the next general release of IRIX.

  TO ENABLE X AUTHORIZATION, do the following to your IRIX 5.2 system:

      1)  Edit /var/X11/xdm/xdm-config as root and change the line
      saying

  DisplayManager*authorize:               off

        to say

  DisplayManager*authorize:               on

      2) Edit /var/X11/xdm/Xsession, /var/X11/xdm/Xsession-remote, and
	 /var/X11/xdm/Xsession.dt as root and change the line saying

  /usr/bin/X11/xhost +

         to say

  #/usr/bin/X11/xhost +

         This disables the "xhost +" by commenting out the command.

      3) Make sure your /etc/sys_id file has no periods in it.  For
	 example, change as root:

  hoot.asd.sgi.com

         to say

  hoot

      4) Reboot the machine OR restart a new xdm and X server.  This
	 can be done as root with the following command:

  (/usr/gfx/stopgfx; killall xdm; /usr/gfx/startgfx) &

      5) Log in.  X authorization should be enabled.

  If you want to disable X authorization and return to the default
  system state where X clients can connect to the X server from any
  machine, reverse the changes in steps 1 and 2 and repeat step 4.

  If you want more information on X authorization, see the manpages for
  xdm(1), Xserver(1), Xsgi(1), Xsecurity(1), xauth(1) and xhost(1).

  X AUTHORIZATION AND REMOTE IRIS GL PROGRAMS: One of the major reaons
  for Silicon Graphics shipping its window system so that an X client
  from any machine could connect to the X server was because IRIS GL
  programs running remote using the DGL (distributed GL) protocol didn't
  interoperate with the X authorization mechanism; the dgld daemon that
  would run on the machine with graphics hardware had no way to get the
  correct X authorization information to connect to the X server.

  This has been fixed for IRIX 5.2, but the fix only applies to IRIX 5
  binaries running remotely on an IRIX 5.2 system connecting to an IRIX
  5.2 X server.  In particular, remotely run IRIX 4 IRIS GL binaries
  will continue to not interoperate with an IRIX 5.2 X server (or a
  pre-IRIX 5.2 X server).  If you recompile your old IRIS GL binaries
  on IRIX 5.2, they then will work remotely connecting to IRIX 5.2 X
  servers running X authorization.

  The bottom line is that if you want an IRIS GL program to run
  remotely on an X server using X authorization, you need to make sure
  the program is an IRIX 5 binary running on an IRIX 5.2 machine and
  the machine with the X server is also an IRIX 5.2 machine.

  To avoid a possible misconception: IRIS GL programs RUNNING LOCALLY
  (ie, not using DGL) WILL WORK FINE on an IRIX 5.2 system no matter if
  they are IRIX 4 or IRIX 5 binaries. The problem with X authorization
  is only for REMOTE IRIS GL programs.

  Also note that for X authorization to work for remote hosts, the
  remote program must have access to the correct X authorization magic
  cookie (normally read from ~/.Xauthority).  If you don't have a
  shared NFS mounted home directory, you'll probably need to use the
  xauth command to transfer the X authorization magic cookie to the
  remote ~/.Xauthority file.

  THE FUTURE:  Hopefully in the next general release of IRIX, a
  mechanism to enable and disable X authorization using a chkconfig
  option will be supported.  The problem with /etc/sys_id not having
  periods will definitely be fixed in the next general release of
  IRIX.  The problem with pre-IRIX 5.2 X servers and binaries not
  interoperating with X authorization will likely not be fixed. Fixing
  the problem required a DGL protocol extension which both the IRIS GL
  program and dgld must know about; this can't be fixed in already
  shipped software.

  Under IRIX 5.3, do what you did for IRIX 5.2. There is no chkconfig
  option for X authorization. The problem with periods in hostnames is
  still present in 5.3 as such, but is fixed by patch 518. There is a
  bug in NFS3 which truncates ~/.Xauthority files which is fixed by
  patch 216. See also the descriptions of the shared memory hole and the
  putative X authorization weaknesses below under "security-related
  bugs".

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA




Top Document: SGI security Frequently Asked Questions (FAQ)
Previous Document: -5- How can I make an anonymous or restricted FTP account?
Next Document: -7- What security-related bugs does IRIX have?

Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
sgi-faq@viz.tamu.edu (The SGI FAQ group)





Last Update March 27 2014 @ 02:12 PM