Suppose you want to run a graphical configuration tool that requires root privileges. However, your X session is running under your usual account. It may seem strange at first, but the X server will not allow the tool to access your display. How is this possible when root can normally do anything? And how do you work around this problem?
Let's generalise to the situation where you want to an X appliation
under a user-id clientuser, but the X session was started
by serveruser. If you have read the section on cookies,
it is clear why clientuser cannot access your display:
~clientuser/.Xauthority does not contain the right magic
cookie for accessing the display. The right cookie is found in
~serveruser/.Xauthority.
Of course, anything that works for remote X also works for X from
a different user-id as well (particularly slogin localhost -l
clientuser). It's just that the client host and the server host happen
to be the same. However, when both hosts are the same, there are some
shortcuts for transferring the magic cookie.
We'll assume that you use su to switch user-ids. Basically, what
you have to do is write a script that will call su, but wraps the
command that su executes with some code that does the necessary
things for remote X. These necessary things are setting the DISPLAY
variable and transferring the magic cookie.
Setting DISPLAY is relatively easy; it just means defining
DISPLAY="$DISPLAY" before running the su command argument. So you
could just do:
su - clientuser -c "env DISPLAY=$DISPLAY clientprogram &"
This doesn't work yet, because we still have to transfer the cookie.
We can retrieve the cookie using xauth list "$DISPLAY". This command
happens to list the cookie in a format that's suitable for feeding back
to the xauth add command; just what we need!
We shall want to pass the cookie through a pipe. Unfortunately, it
isn't easy to pass something through a pipe to the su command,
because su wants to read the password from its standard input.
Fortunately again, in a shell script we can joggle some file descriptors
around, and get it done.
So we write a script around this, parameterizing by clientuser
and clientprogram. Let's improve the script a little while we're
at it, making it less readable but more robust. It looks like this:
#!/bin/sh
if [ $# -lt 2 ]
then echo "usage: `basename $0` clientuser command" >&2
exit 2
fi
CLIENTUSER="$1"
shift
# FD 4 becomes stdin too
exec 4>&0
xauth list "$DISPLAY" | sed -e 's/^/add /' | {
# FD 3 becomes xauth output
# FD 0 becomes stdin again
# FD 4 is closed
exec 3>&0 0>&4 4>&-
exec su - "$CLIENTUSER" -c \
"xauth -q <&3
exec env DISPLAY='$DISPLAY' "'"$SHELL"'" -c '$*' 3>&-"
}
I think this is portable and works well enough in most circumstances.
The only shortcoming I can think of right now is that, due to using
'$*', single quotes in command will mess up quoting in the
su command argument ('$*'). If there's anything else seriously
wrong with it, please drop me an email.
Call the script /usr/local/bin/xsu, and you can do:
xsu clientuser 'command &'
Can't be much easier, unless you get rid of the password. Yes, there
are ways for that too (sudo), but this is not the place for that.
Obviously, anything that works for non-root client users is going to
work for root as well. However, with root you can make it even easier,
because root can read anyone's ~/.Xauthority file. There's no
need to transfer the cookie. All you have to do is set DISPLAY, and
point XAUTHORITY to ~serveruser/.Xauthority. So you can do:
su - -c "exec env DISPLAY='$DISPLAY' \
XAUTHORITY='${XAUTHORITY-$HOME/.Xauthority}' \
command"
Putting it into a script would give something like:
#!/bin/sh
if [ $# -lt 1 ]
then echo "usage: `basename $0` command" >&2
exit 2
fi
su - -c "exec env DISPLAY='$DISPLAY' \
XAUTHORITY='${XAUTHORITY-$HOME/.Xauthority}' \
"'"$SHELL"'" -c '$*'"
Call the script /usr/local/bin/xroot, and you can do:
xroot 'control-panel &'
Although, if you've set up xsu already, there's no real reason to
do this.