On Sun, Oct 17, 2004 at 04:56:12PM -0700, Jamie Zawinski wrote: > Luciano Miguel Ferreira Rocha wrote: > > > > Hm? xscreensaver drops privileges if runned as root, and thus it won't > > be able to access the X cookies file. Ending up unable to connect to the > > X server. > > You'd rather it did what KDE does and not drop privs at all, running > arbitrary eye-candy sub-processes as root? They can't be trusted to run as root? Can they be trusted to be run as any user at all? > > > It's not a case of it refusing to do something insecure. In fact, in its > > documentation, it states that it's "safe to run xscreensaver as root". > > But in order for it to work, it asks for a "xhost +localhost". > > > > And that I don't find very secure. > > It simply follows the security measures in use by the X server. If you > find those onerous and choose to turn them off, that's your business, No, I find the documentation dangerous. > but xscreensaver doesn't do that for you. You could always jump through > hoops like this instead: > xauth -f /home/$USER/.Xauthority nextract - $DISPLAY | xauth nmerge - Why can't xscreensaver do that when run as root? If it sandboxes it self when it thinks it a necessity, then it should at least do it properly and fully. Regards, Luciano Rocha -- Consciousness: that annoying time between naps.
