Unix/Linux Go Back    

RedHat 9 (Linux i386) - man page for pam_xauth (redhat section 8)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)

pam_xauth(8)			  System Administrator's Manual 		     pam_xauth(8)

       pam_xauth - forward xauth keys between users

       session optional /lib/security/pam_xauth.so arguments

       pam_xauth.so  is  designed  to  forward	xauth  keys  (sometimes referred to as "cookies")
       between users.

       Without pam_xauth, when xauth is enabled and a user uses the su command to assume  another
       user's  priviledges,  that  user is no longer able to access the original user's X display
       because the new user does not have the key needed to access the display.  pam_xauth solves
       the  problem  by forwarding the key from the user running su (the source user) to the user
       whose identity the source user is assuming (the target user) when the session is  created,
       and destroying the key when the session is torn down.

       This  means, for example, that when you run su from an xterm sesssion, you will be able to
       run X programs without explicitly dealing with the xauth command or ~/.Xauthority files.

       pam_xauth will only forward keys if xauth can list a key connected to the  $DISPLAY  envi-
       ronment variable.

       Primitive access control is provided by ~/.xauth/export in the invoking user's home direc-
       tory and ~/.xauth/import in the target user's home directory.

       If a user has a ~/.xauth/import file, the user will only receive cookies from users listed
       in  the	file.  If there is no ~/.xauth/import file, the user will accept cookies from any
       other user.

       If a user has a .xauth/export file, the user will only forward cookies to users listed  in
       the  file.   If	there  is no ~/.xauth/export file, and the invoking user is not root, the
       user will forward cookies to any other user.  If there is no ~/.xauth/export file, and the
       invoking user is root, the user will not forward cookies to other users.

       Both  the  import  and  export  files  support wildcards (such as *).  Both the import and
       export files can be empty, signifying that no users are allowed.

       debug  Turns on debugging messages sent to syslog.

	      Specify the path the xauth program (the default is /usr/X11R6/bin/xauth).

       pam_xauth will work only if it is used from a setuid application  in  which  the  getuid()
       call  returns the id of the user running the application, and for which PAM can supply the
       name of the account that the user is attempting to assume.   The  typical  application  of
       this  type  is  su.   The application must call both pam_open_session() and pam_close_ses-
       sion() with the ruid set to the uid of the calling user and the euid set to root, and must
       have provided as the PAM_USER item the name of the target user.

       pam_xauth calls xauth as the source user to extract the key for $DISPLAY, then calls xauth
       as the target user to merge the key into the a temporary database  and  later  remove  the

       pam_xauth cannot be told not to remove the keys when the session is closed.


       ~/.xauth/import ~/.xauth/export

       Let's  hope  not,  but  if  you	find  any, please report them via the "Bug Track" link at

       Nalin Dahyabhai <nalin@redhat.com>, based on original version by Michael K. Johnson <john-

Red Hat Linux				    2001/9/27				     pam_xauth(8)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums

All times are GMT -4. The time now is 03:15 PM.