errors when switching users (security hole?)

Danilo Turina
Tue Feb 24 16:41:00 GMT 2004

Alexander Gottwald wrote:

> On Tue, 24 Feb 2004, Kris Thielemans wrote:
>>I was trying to use Windows XP's 'switch user' feature and get rather
>>amazing results. Here is what I did
>>- logged in as account 1 (has admin privs), started XFree there (using
>>- switched to another user ('limited privs'), started Xfree there (using
>>I get error messages relating to /tmp/.X11-unix (permission denied).
>>If you check startxwin.bat, this is indeed a problem. Every user/session
>>will use the same filename. my 2nd user does not have permission to mess
>>around with the /tmp/.X11-unix created by the first user, so it has
>>Maybe this can be fixed by using /tmp/$USER/.X11-unix or so. But maybe you
>>do not want it to be fixed (see below).
>>However, now comes the weird thing.
>>I then switched back to account 1. And it has a new Xterm open, which seems
>>to be owned by user 2 (that is 'id -un' reports user 2)! I did not really
>>check if it has all relevant permissions and so on but it's pretty scary

This is perfectly normal, if you look into startxwin.bat you can find 
the following:

REM Startup the X Server with the integrated Windows-based window manager.

start XWin -multiwindow

REM Startup an xterm, using bash as the shell.

run xterm -sl 1000 -sb -rightbar -ms red -fg yellow -bg black -e 
(Last two lines are only one that have been wrapped)

Trying to start another XServer on the same display (:0 implicitely) 
will fail (as already explained by Alexander).

Instead the opening of an xterm will work, because the xterm is opened 
in the already running XServer.

It's the same situation that often happens with Unix machines when you 
launch a X app from a remote machine toward your X server, but forget to 
specify the display (or to export the DISPLAY variable) and then your 
application is displayed in the remote X server (probably used by 
someone else).

>>Do you think user switching could be supported by XFree? (Don't worry if you
>>say no. It's not a life-saving requirement for me!)
> This is normal behaviour. X11 communication work either via TCP/IP where the 
> xserver uses port 6000+display number or via unix domain sockets where the 
> xserver uses the file /tmp/.X11-unix/X${display number}.
> If you want to start another xserver as a different user you have to supply 
> a screen number different from those of all started servers.
> eg. if the first server was started with XWin -options then the second should
> be started with XWin :1 -options
> bye
> 	ago

More information about the Cygwin-xfree mailing list