openssh unix dev - Dec 2002 - AIX - X displays forwarding problem with su

Hey everyone 

Currently i'm using AIX 4.3.3. I've installed OpenSSH version 2.9p1
which by
the way works with the 
way i've hacked it together to get X Displays working correctly. 

I can ssh into the system as myself export my display back no problem.

I can ssh to a system as myself and ( su - any_userid )  and export my
display back but i had 
to hack this together in order to get it to work.

Since the version of openssh 3.4 and above came i cant seem to ( so far )
hack this 
together to get this working. 

Not sure if the privilege separation had anything to do with this or not,
ive 
tried with and with out privilege separation and still no luck.

I have noticed that on Redhat this isnt an issue, displays are able to be
set up 
correctly no matter how many times you su to different userid's the display
can 
be issued back to your desktop.



What ive done to make this work on AIX 

This is only working with version openssh 2.9p1 and below.


1) all users .profile ive added in these 2 lines.


##############################
# This will setup our displays
##############################
. /usr/local/bin/setdisp.ksh
. /usr/local/bin/generic_alias



2) Contents of setdisp.ksh


#############################################################
#
#   script:  setdisp.ksh
#
#  purpose:  to set the display variable on login
#
#############################################################
#
#  Check if su, see if /tmp/ldisp for same date,time
#
DFILE=/tmp/ldisp

if [ ${DISPLAY:-0} = "0" ] ; then
    cdate=`date +"%h%d%H:%M"`
    fdate=`ls -l $DFILE|awk '{print $6$7$8}'`
    if [ $cdate = $fdate ] ; then
      xauth add `cat $DFILE`
      export DISPLAY=`cat $DFILE | awk '{print $1}'`
      echo "" > $DFILE
    fi
fi



3) Contents of  generic_alias

alias su="xauth list | sed -n '1,1 p' > /tmp/ldisp;chmod 666
/tmp/ldisp
2>/dev/null; /usr/bin/su"





Once you log in as your userid, you can now ( su - any_userid ) and still be
able to bring 
back X Displays just fine. 

But i dont think this is normal ! 

Any one else having problems with this? 

Is there something that i'm doing wrong that I could be doing different to
get this working correctly ?


Thanks for your time 

Steven 

bishop at telus.net

Steven Bishop wrote:
> Currently i'm using AIX 4.3.3. I've installed OpenSSH version 2.9p1
> which by the way works with the way i've hacked it together to get X
> Displays working correctly.
Firstly, 2.9 has some widely-published security problems. You may want
to upgrade.
> I can ssh to a system as myself and ( su - any_userid )  and export my
> display back but i had to hack this together in order to get it to work.
[snip]

This is not specific to AIX (it happens on Solaris and probably others)
and happens because su clears a lot of the environment (eg $DISPLAY) and
because the new uid does not know about the xauth credentials.

Redhat's su seems to create a temporary xauth file (try "echo
$XAUTHORITY") and preserve $DISPLAY but this does not appear to be
common behaviour.

We use sudo instead for root access. It preserves $DISPLAY and $HOME (so
$HOME/.Xauthority can still be used). It also provides better logging.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.