Privacy

Robert Heller heller at deepsoft.com
Sun Mar 14 09:44:53 CST 2004 

  Roger Price <roger.price at pandora.be>,
  In a message on Sun, 14 Mar 2004 12:04:10 +0100, wrote :

RP>   I am trying to secure access to my gnucash on Mac OS X 10.3.2 using 
RP> the method suggested below for linux
RP> 
RP> 1. create a user (probably 'bookkeeper' or something)
RP>   2. move all bookkeeping info from the default user's home to
RP>   bookkeepers' home.
RP>   3. tell KDE or GNOME to run gnucash as a different user (being
RP>   'bookkeeper') or change the command from /usr/bin/gnucash to su
RP>   bookkeeper -c /usr/bin/gnucash.
RP> 
RP> I have set up a separate account and copied the gnucash data and set 
RP> the privs to 600. In my xterm (X11 works fine in my account) I type:
RP> 
RP> [FlatScreen:~] roger%
RP>   [FlatScreen:~] roger% su gnucash -c /sw/bin/gnucash
RP>   Password:
RP>   Xlib: connection to ":0.0" refused by server
RP>   Xlib: No protocol specified
RP> 
RP> Gtk-WARNING **: cannot open display: :0.0
RP>   [FlatScreen:~] roger%
RP> 
RP>   What do I need to do or set up to make X11 work in this set-up?

What is happening is X11's security is hitting you.  SInce X11 is itself
a network service it uses its own security features to prevent
'unauthorized' remote (network) access to your screen (X server). 
There are various ways around this.  One possibility is to use ssh:

[FlatScreen:~] roger% ssh gnucash at localhost /sw/bin/gnucash

ssh (if properly configured) will tunnel the X11 network traffic
through a virtual X Server channel, mapped to your original X server
channel: the ssh *client* connects (as you) to unix:0.0 and the ssh
*daemon* creates a new 'X Server' at localhost:10.0 (on the 'remote'
machine) and sets up a bi-directional ssl connection with the client
side.

Another way to to have way too much 'fun' with xauth.

Or you can defeat X11's security with the 'xhost +' command.

RP> 
RP> On 12 Mar 2004, at 21:04, Lindenaar, D.J.W. wrote:
RP> 
RP> > The solution is already
RP> > given so I'll just try to show how it could be done.
RP> >
RP> > 1. create a user (probably 'bookkeeper' or something)
RP> > 2. move all bookkeeping info from the default user's home to
RP> > bookkeepers' home.
RP> > 3. tell KDE or GNOME to run gnucash as a different user (being
RP> > 'bookkeeper') or change the command from /usr/bin/gnucash to su
RP> > bookkeeper -c /usr/bin/gnucash.
RP> >
RP> > Like this it can be done. The OS asks the password for 'bookkeeper' and
RP> > if correct fires up gnucash. If your son starts gnucash he doesn't know
RP> > the password and so can't start gnucash nor can he delete the
RP> > accountfile or anything.
RP> >
RP> > This is the way it is done the linux-way. It is pretty much exactly the
RP> > same thing a MS-money would seem to do it except that the nice work 
RP> > done
RP> > by the linux-kernel-team is probably much more secure than some hack by
RP> > the accounting programmers.
RP> >
RP> >
RP> > Greetings Daniel.
RP> 
RP> 
RP> 
RP> This message contains data in an unrecognized format, application/pkcs7-signature,
RP> which is being decoded and written to the file named "/home/heller/Mail/Attachments/smime.p7s".
RP> If you do not want this data, you probably should delete that file.
RP> Wrote file /home/heller/Mail/Attachments/smime.p7s
RP> MIME-Version: 1.0
RP> 
RP> _______________________________________________
RP> gnucash-user mailing list
RP> gnucash-user at lists.gnucash.org
RP> https://lists.gnucash.org/mailman/listinfo/gnucash-user
RP> 
RP>  

                                     \/
Robert Heller                        ||InterNet:   heller at cs.umass.edu
http://vis-www.cs.umass.edu/~heller  ||            heller at deepsoft.com
http://www.deepsoft.com              /\FidoNet:    1:321/153

More information about the gnucash-user mailing list