Remote X Apps mini-HOWTO: X Applications from Another User-id

Topics:

All Pages 8021X HOWTO ACP Modem ACPI HOWTO ADSL Bandwidth Man..ATA RAID HOWTO ATM Linux HOWTO AX25 HOWTO Accessibility Dev ..Accessibility HOWTO Adv Bash Scr HOWTO Adv Routing HOWTO Antares RAID sparc..Apache Compile HOWTO Apache WebDAV LDAP..Assembly HOWTO Astronomy HOWTO Athlon Powersaving..Authentication Gat..Autodir HOWTO Aviation HOWTO Avr Microcontrolle..BRIDGE STP HOWTO BTTV BackspaceDelete Bandwidth Limiting..Bangla HOWTO Bash Prompt HOWTO Battery Powered Belarusian HOWTO Belgian HOWTO Beowulf HOWTO Boca BogoMips Bootdisk HOWTO Bridge C++ dlopen C C++Beautifier HO..C editing with VIM..CDROM HOWTO CDServer HOWTO Cable Modem Caudium HOWTO Clone HOWTO Compaq Remote Insi..Compaq T1500 HOWTO Conexant+Rockwell ..Cryptoloop HOWTO DB2 HOWTO DHCP DSL HOWTO DVD Playback HOWTO Debian Binary Pack..Debian Jigdo Debian and Windows..Disk Encryption HO..Disk on Chip HOWTO DocBook Demystific..DocBook Install DocBook OpenJade S..Ecology HOWTO Emacspeak HOWTO Encourage Women Li..Encrypted Root Fil..Euro Char Support Event HOWTO Fedora Multimedia ..Finnish HOWTO Firewall Piercing Flash Memory HOWTO Font HOWTO Framebuffer HOWTO GCC HOWTO GIS GRASS Glibc Install HOWTO HOWTO HOWTO HOWTO INDEX HP HOWTO Handspring Visor Hard Disk Upgrade Hardware HOWTO HighQuality Apps H..Home Electrical Co..IBM7248 HOWTO IO Perf HOWTO IP Alias IP Masquerade HOWTO IRC Implement Sys Call..Indic Fonts HOWTO Infrared HOWTO IngresII HOWTO Install Strategies Installation HOWTO Installfest HOWTO Intkeyb Italian HOWTO Jabber Server Farm..JavaStation HOWTO Kerberos Infrastru..Kernel HOWTO Kerneld Kodak Digitalcam H..LDAP HOWTO LDP Reviewer HOWTO LILO crash rescue ..LVM HOWTO Leased Line Lego Linksys Blue Box R..Linux+Win95 Linux+Win9x+Grub H..Linux+Windows HOWTO Linux Complete Bac..Linux Crash HOWTO Linux Gamers HOWTO Linux Modem Sharing Linux Promise RAID..Linux i386 Boot Co..LinuxGL QuakeWorld..Lotus DominoR5 MILO HOWTO MMBase Inst HOWTO MP3 CD Burning Mail User HOWTO Majordomo MajorCoo..Man Page Masquerading Simpl..Medicine HOWTO MindTerm SSH HOWTO Mobile IPv6 HOWTO Mock Mainframe Module HOWTO Modules Motorola Surfboard..Mozilla Optimization Multi Distro Dev NCURSES Programmin..NFS HOWTO NFS Root Client mi..NIS HOWTO NetMeeting HOWTO Network boot HOWTO Nvidia OpenGL Conf..OLSR IPv6 HOWTO Online Troubleshoo..Oracle 9i Fedora 3..PA RISC Linux Boot..PCTel MicroModem C..PHP Nuke HOWTO PPP HOWTO Pager PalmOS HOWTO Partition Partition Mass Sto..Partition Mass Sto..Partition Rescue Pine Exchange PortSlave Post Installation ..Postfix Cyrus Web ..Pre Installation C..Print2Win Printing HOWTO Process Accounting Program Library HO..Proxy ARP Subnet Qmail ClamAV HOWTO Qmail VMailMgr Cou..Querying libiptc H..RPM HOWTO Reading List HOWTO RedHat CD HOWTO Reliance HOWTO Remote Bridging Remote Serial Cons..SCSI 2.4 HOWTO SCSI Generic HOWTO SLIP PPP Emulator SRM HOWTO SSL Certificates H..Scanner HOWTO Scientific Computi..Scripting GUI TclTk Secure CVS Pserver Secure Programs HO..Security HOWTO Security Quickstar..Security Quickstar..Serial Laplink HOWTO Serial Programming..Slovak HOWTO Small Memory Smart Card HOWTO Software Proj Mgmt..Software Release P..Sound HOWTO Spam Filtering for..Speech Recognition..SquashFS HOWTO Sybase ASA HOWTO Sybase ASE HOWTO Sybase PHP Apache TCP Keepalive HOWTO Tamil Linux HOWTO TimePrecision HOWTO TimeSys Linux Inst..Token Ring Traffic Control HO..Traffic Control tc..UPS HOWTO Unix Hardware Buye..Unix and Internet ..Upgrade Usenet News HOWTO User Authenticatio..VB6 to Tcl VMS to Linux HOWTO VPN HOWTO Valgrind HOWTO VideoLAN HOWTO Vim HOWTO Virtual Web Webcam HOWTO WikiText HOWTO Windows Newsreader..Wireless Link sys ..Wireless Sync HOWTO XDM Xterm XDMCP HOWTO XFree Local multi ..XFree86 HOWTO XFree86 R200 XFree86 Second Mouse XFree86 Video Timi..XML RPC HOWTO XWindow Overview H..XWindow User HOWTO Xinerama HOWTO Xterminals Html single I810 HOWTO Libdc1394 HOWTO OpenMosix HOWTO Phhttpd HOWTO Ppp ssh Text

Next Previous Contents

7. X Applications from Another User-id

Suppose you want to run a graphical configuration tool that requires root privileges. However, your X session is running under your usual account. It may seem strange at first, but the X server will not allow the tool to access your display. How is this possible when root can normally do anything? And how do you work around this problem?

Let's generalise to the situation where you want to an X appliation under a user-id clientuser, but the X session was started by serveruser. If you have read the section on cookies, it is clear why clientuser cannot access your display: ~clientuser/.Xauthority does not contain the right magic cookie for accessing the display. The right cookie is found in ~serveruser/.Xauthority.

7.1 Different Users on the Same Host

Of course, anything that works for remote X also works for X from a different user-id as well (particularly .:: podcasts.apple.com ::. slogin localhost -l clientuser). It's just that the client host and the server host happen to be the same. However, when both hosts are the same, there are some shortcuts for transferring the magic cookie. [ArXiv: Red Hat Enterprise Linux Analysis]

We'll assume that you use su to switch user-ids. Basically, what you have to do is write a script that will call su, but wraps the command that su executes with some code that does the necessary things for remote X. These necessary things are setting the .:: elearnportal.science ::. DISPLAY variable and transferring the magic cookie.

Setting DISPLAY is relatively easy; it just means defining DISPLAY="$DISPLAY" before running the su command argument. So you could just do:


su - clientuser -c "env DISPLAY=$DISPLAY clientprogram &"

This doesn't work yet, because we still have to transfer the cookie. We can retrieve the cookie using .:: vuf.minagricultura.gov.co ::. xauth list "$DISPLAY". This command happens to list the cookie in a format that's suitable for feeding back to the xauth add command; just what we need!

We shall want to pass the cookie through a pipe. Unfortunately, it isn't easy to pass something through a pipe to the su command, because su wants to read the password from its standard input. Fortunately again, in a shell script we can joggle some file descriptors around, and get it done. .:: sites.google.com ::.

So we write a script around this, parameterizing by clientuser and clientprogram. Let's improve the script a little while we're at it, making it less readable but more robust. It looks like this:


#!/bin/sh

if [ $# -lt 2 ]
then echo "usage: `basename $0` clientuser command" >&2
     exit 2
fi

CLIENTUSER="$1"
shift

# FD 4 becomes stdin too
exec 4>&0

xauth list "$DISPLAY" | sed -e 's/^/add /' | {

    # FD 3 becomes xauth output
    # FD 0 becomes stdin again
    # FD 4 is closed
    exec 3>&0 0>&4 4>&-

    exec su - "$CLIENTUSER" -c \
         "xauth -q <&3
          exec env DISPLAY='$DISPLAY' "'"$SHELL"'" -c '$*' 3>&-"

}

I think this is portable and works well enough in most circumstances. The only shortcoming I can think of right now is that, due to using '$*', single quotes in command will mess up quoting in the su command argument ('$*'). If there's anything else seriously wrong with it, please drop me an email. .:: www.housedumonde.com ::. .:: ru.pinterest.com ::. .:: marvelvsdc.faith ::.

Call the script /usr/local/bin/xsu, and you can do:


xsu clientuser 'command &'

Can't be much easier, unless you get rid of the password. Yes, there are ways for that too (sudo), but this is not the place for that.

The tiny xsu script just mentioned has served as the basis for a more extended script called sux which apparently has found its way as a package into the Debian distribution.

7.2 Client User Is Root

Obviously, anything that works for non-root client users is going to work for root as well. However, with root you can make it even easier, because root can read anyone's ~/.Xauthority file. There's no need to transfer the cookie. All you have to do is set DISPLAY, and point XAUTHORITY to ~serveruser/.Xauthority. So you can do:


su - -c "exec env DISPLAY='$DISPLAY' \
                  XAUTHORITY='${XAUTHORITY-$HOME/.Xauthority}' \
                  command"

Putting it into a script would give something like: [GitHub: DNS]


#!/bin/sh
if [ $# -lt 1 ]
then echo "usage: `basename $0` command" >&2
     exit 2
fi
su - -c "exec env DISPLAY='$DISPLAY' \
                  XAUTHORITY='${XAUTHORITY-$HOME/.Xauthority}' \
                  "'"$SHELL"'" -c '$*'"

Call the script /usr/local/bin/xroot, and you can do:


xroot 'control-panel &'

Although, if you've set up xsu already, there's no real reason to do this.

Next Previous Contents