X11 Forwarding and su/sudo - Revision history

Hutch at 17:31, 22 May 2008

Hutch — Thu, 22 May 2008 17:31:42 GMT

←Older revision		Revision as of 17:31, 22 May 2008
Line 47:		Line 47:
	$ '''/usr/openwin/bin/xauth extract - host/unix:10 \| sudo su - root -c "/usr/openwin/bin/xauth merge - ; DISPLAY=localhost:10.0 /usr/openwin/bin/xclock"'''		$ '''/usr/openwin/bin/xauth extract - host/unix:10 \| sudo su - root -c "/usr/openwin/bin/xauth merge - ; DISPLAY=localhost:10.0 /usr/openwin/bin/xclock"'''

-	If you unable to use ''xauth'' in a pipeline (perhaps you are using sudo to become another user, but additional command line arguments are not allowed), run '''xauth list''' on the account you are sudo'ing from, sudo to the account, and add the appropriate key via '''xauth add'''.	+	If you unable to use ''xauth'' in a pipeline (perhaps you are using sudo to become another user, but additional command line arguments are not allowed), run '''xauth list''' on the account you are sudo'ing from, sudo to the account, and add the appropriate key via '''xauth add''' before starting your X client.

	=== Links ===		=== Links ===

Hutch at 17:31, 22 May 2008

Hutch — Thu, 22 May 2008 17:31:16 GMT

←Older revision		Revision as of 17:31, 22 May 2008
Line 46:		Line 46:
	localhost:10.0		localhost:10.0
	$ '''/usr/openwin/bin/xauth extract - host/unix:10 \| sudo su - root -c "/usr/openwin/bin/xauth merge - ; DISPLAY=localhost:10.0 /usr/openwin/bin/xclock"'''		$ '''/usr/openwin/bin/xauth extract - host/unix:10 \| sudo su - root -c "/usr/openwin/bin/xauth merge - ; DISPLAY=localhost:10.0 /usr/openwin/bin/xclock"'''
		+
		+	If you unable to use ''xauth'' in a pipeline (perhaps you are using sudo to become another user, but additional command line arguments are not allowed), run '''xauth list''' on the account you are sudo'ing from, sudo to the account, and add the appropriate key via '''xauth add'''.

	=== Links ===		=== Links ===

Hutch: New page: From my system with an Xorg X server, I login to ''host'' via ssh with X11 forwarding and execute an X client. $ '''ssh hutch@host''' (host) $ '''echo $DISPLAY''' localhost:10.0 (host...

Hutch — Mon, 12 Nov 2007 18:56:08 GMT

New page: From my system with an Xorg X server, I login to ''host'' via ssh with X11 forwarding and execute an X client. $ '''ssh hutch@host''' (host) $ '''echo $DISPLAY''' localhost:10.0 (host...

New page

From my system with an Xorg X server, I login to ''host'' via ssh with X11 forwarding and execute an X client.

$ '''ssh hutch@host'''
(host) $ '''echo $DISPLAY'''
localhost:10.0
(host) $ '''/usr/openwin/bin/xclock'''

This works. What if I want to run an X client as the root user?

(host) $ '''/bin/su -'''
# '''echo $DISPLAY'''

# '''DISPLAY=localhost:10.0 /usr/openwin/bin/xclock'''
X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).

This doesn't work because the X client is looking for the authority file in ''~root/.Xauthority'', while the needed credentials (i.e., the "magic cookie") created by ssh are in ''~hutch/.Xauthority''.

From SSH(1):

ssh will also automatically set up Xauthority data on the server machine.
For this purpose, it will generate a random authorization cookie, store
it in Xauthority on the server, and verify that any forwarded connections
carry this cookie and replace it by the real cookie when the connection
is opened. The real authentication cookie is never sent to the server
machine (and no cookies are sent in the plain).

To make this work, set ''XAUTHORITY=~hutch/.Xauthority'' and execute the X client.
# DISPLAY=localhost:10.0 XAUTHORITY=/home/hutch/.Xauthority /usr/openwin/bin/xclock

This won't work if the root user cannot read ''/home/hutch/.Xauthority'', which would happen if the ''/home'' file system is on an NFS share and the root user is "squashed," or mapped to the ''nobody'' user.

If this is the case, use ''xauth'' in a pipeline to copy the user's credentials into the ''root'' user's authority file.

''su'' example:
$ '''uname -n'''
host
$ '''echo $DISPLAY'''
localhost:10.0
$ '''/usr/openwin/bin/xauth extract - host/unix:10 | su - root -c "/usr/openwin/bin/xauth merge - ; DISPLAY=localhost:10.0 /usr/openwin/bin/xclock"'''

''sudo'' example:
$ '''uname -n'''
host
$ '''echo $DISPLAY'''
localhost:10.0
$ '''/usr/openwin/bin/xauth extract - host/unix:10 | sudo su - root -c "/usr/openwin/bin/xauth merge - ; DISPLAY=localhost:10.0 /usr/openwin/bin/xclock"'''

=== Links ===

* [http://www.derkeiler.com/Mailing-Lists/securityfocus/Secure_Shell/2003-05/0001.html Re: X11 forwarding after su'ing]
* [http://www.sudo.ws/pipermail/sudo-users/2002-August/001156.html using sudo and ssh together`]