How to transfer X11 auth across sudo invocation
david.karr
allows the transfer of X11 packets to my local box.
When I log in as myself into the box, with my local Cygwin-provided X
server running, I can display windows perfectly fine.
However, if after logging in, I then "sudo" to an administrative
account and then try to run something that tries to display windows,
it says that it can't connect.
I tried doing "env | sort" from both my user account and the
administrative account, to compare the differences. On the admin
shell, I set the following env vars from their value on my user
account:
DISPLAY, SSH_AUTH_SOCK, SSH_CLIENT, SSH_CLIENT, SSH_CONNECTION,
SSH_TTY
However, it still fails to connect. I imagine that one of these
variables is "tied" to my user account somehow, and won't work if I
just copy the value over (probably a good idea :) ).
So, what can I do to facilitate this connection from the admin account
to my local box's X server?
Bruce
"david.karr" <davidmic...@gmail.com> wrote in message
news:6f74dba1-a91c-4ad7...@x41g2000hsb.googlegroups.com...
export DISPLAY?
david.karr
> "david.karr" <davidmichaelk...@gmail.com> wrote in message
I exported all of those variables I indicated that I set, including
DISPLAY.
lahuman9
>
> - Show quoted text -
before you sudo:
"xauth list"
copy that, then sudo,
as new user, "xauth add <the output of the above xauth list>"
"export DISPLAY=" the original DISPLAY variable, which is also in the
output of the xauth list command
voila
david.karr
I'm not certain exactly what you mean by this. For context, we'll
call my X server box "laptop", and the box I'm trying to run the Xwin
app on as "unixbox".
I have my Cygwin X server running on "laptop". I've logged into
"unixbox" from "laptop" (using SecureCRT), with the "forward X11
packets" flag set on.
When I log into "unixbox" and run "xauth list", I see output like the
following:
unixbox/unix:10 MIT-MAGIC-COOKIE-1 <longhexstring1>
unixbox/unix:11 MIT-MAGIC-COOKIE-1 <longhexstring2>
unixbox/unix:12 MIT-MAGIC-COOKIE-1 <longhexstring3>
unixbox/unix:13 MIT-MAGIC-COOKIE-1 <longhexstring4>
unixbox/unix:14 MIT-MAGIC-COOKIE-1 <longhexstring5>
unixbox/unix:15 MIT-MAGIC-COOKIE-1 <longhexstring6>
I'm not exactly sure how to pass this to "xauth add" after the sudo,
and the DISPLAY variable value is not in this output, although that's
the easiest variable to copy, as it was only set to "localhost:10.0"
before the sudo.
lahuman9
>
> - Show quoted text -
ok example
xauth list
sudo -u whomever
xauth add "unixbox/unix:10 MIT-MAGIC-COOKIE-1 <longhexstring1>"
DISPLAY=unixbox/unix:10; export DISPLAY
run your x app
david.karr
So when I start out, my DISPLAY is set to "localhost:10.0", and
running "xterm" on "unixbox" displays the window on "laptop".
I then run "xauth list" and get that list of 6 lines. I then sudo to
the admin account. I do:
xauth add "<first line of previous xauth list output>"
It said:
1356-364 xauth: creating new authority file $HOME/.Xauthority
xauth: (argv):1: 1356-353 bad "add" command line
lahuman9
>
> - Show quoted text -
here's the part where you type "man xauth" and find what format aix
xauth
wants it in. the method works for both solaris and hp-ux
david.karr
I had read it, but I didn't notice that the double quotes were making
it a single argument.
In any case, it now doesn't complain about the syntax of add. It says
it created the authority file. I then set the DISPLAY to the
DisplayName value that I added and exported it, and then ran xterm.
It still says:
xterm Xt error: Can't open display: unixbox/unix:12
Note that the actual name of the box is a fully-qualified host name
(along with the resulting display name), with periods in it. I assume
that wouldn't matter?
dsharp
When you say you sudo to an admin account, do you mean "su - root" (or
"su -") ? If so, have you tried omitting the dash in the su command
so you don't replace the DISPLAY variable established by SecureCRT
with root's DISPLAY variable? On my AIX box, if I have a working X
tunnel via SSH to my user account and do "su - " then I get the same
results you get, but if I just "su" then I can run x in the root
shell.
Doug
david.karr
Well, that was promising for a moment.
Apparently my company restricts the non-"-" form more than the "-"
form. I have permission to sudo using "-", but when I do it without
it, it says:
Sorry, user <me> is not allowed to execute '/usr/bin/su <admin>' as
root on <hostname>.
a...@mail.com
export DISPLAY=laptop:0
F. Michael Orr
What I have done it to resolve this problem is to write my own wrapper
'su' script in my $HOME/bin directory. The important guts of it are:
SUCMD='/usr/bin/su'
NEWSH=`grep "^root" /etc/passwd | awk -F: '{print $7}'`
case $# in
0)
if [ -n "$DISPLAY" ]; then
$SUCMD root -c \
"env DISPLAY=$DISPLAY XAUTHORITY=${HOME}/.Xauthority $NEWSH"
exit $?
else
$SUCMD root
exit $?
fi # END IF [ -N "$DISPLAY" ] ... ELSE
;;
1)
if [ "$1" = "-" ]; then
if [ -n "$DISPLAY" ]; then
$SUCMD - root -c \
"env DISPLAY=$DISPLAY XAUTHORITY=${HOME}/.Xauthority $NEWSH"
exit $?
else
$SUCMD - root
exit $?
fi # END IF [ -N "$DISPLAY" ] ... ELSE
else
$SUCMD $*
exit $?
fi # END IF [ "$1" = "-" ] ... ELSE
;;
2)
if [ "$1" = "-" -a "$2" = "root" ]; then
if [ -n "$DISPLAY" ]; then
$SUCMD - root -c \
"env DISPLAY=$DISPLAY XAUTHORITY=${HOME}/.Xauthority $NEWSH"
exit $?
else
$SUCMD - root
exit $?
fi # END IF [ -N "DISPLAY" ] ... ELSE
else
$SUCMD $*
exit $?
fi # END IF [ "$1" = "-" -A ... ELSE
;;
*)
$SUCMD $*
exit $?
;;
esac
david.karr
I assume you put that in your path before /usr/bin. In any case, this
doesn't work either, because sudo won't let me execute that.
So far, the only way I can get done what I need to get done is to turn
off authentication on the server. I'm not wild about that, but it's
certainly easier than all this xauth manipulation, which still doesn't
appear to work (or at least
dsharp
variables are passed when you run sudo. Maybe the person that manages
your sudoers file can change it for you. See the info about env_keep
and related env info here:
http://www.gratisoft.us/sudo/man/sudoers.html
or the comments in the sudoers file itself. I've used env_keep to
manage unusual env variables for non-root users using sudo on Linux.
I manage sudo on AIX but I haven't used this feature there, so it's
possible the AIX impl doesn't support it. On Linux, for example, the
following is a default:
Defaults env_reset
Defaults env_keep = "DISPLAY ..."
Doug
david.karr
This seems like a good thing, but I doubt this will help for this.
Before sudoing, I printed $DISPLAY. After the sudo, I set DISPLAY to
that value and ran xterm. No luck. This is in addition to using
"xauth add" to copy the "xauth list" values from before the sudo.
smallpond
To get X to work from my Linux system, I had to reformat the xauth
output for AIX, so I set scripts to do it using shared storage.
on Linux, in my .bashrc file, where ${AIX} is a shared directory:
xauth list |awk '/mypc/ {print "mypc.mydomain.com:0 . ",$3}' |head -1 >
${AIX}/authfile
This changes the auth string to look like this in authfile:
mypc.mydomain.com:0 . 776356bcbb4e28370720c7113dece5aa
on AIX:
if [ -f authfile ] ; then
xauth remove mypc.mydomain.com:0
xauth add `cat authfile`
fi
export DISPLAY=mypc.mydomain.com:0
I found I needed to remove old signatures from the auth list.
Also check permissions on /.Xauthority - it needs to be readable.
Rajendra Singh
xauth merge ~abc/.Xauthority
... where "abc" is the user you logged in as.