Execute command after GUI-application has started

Question

I have to use a home-built tool at my company which requires 'root' privileges.

To make things worse, it's a GUI application. Normally, I wouldn't execute such things, but I don't have much of a choice.

Currently, I am using

xhost + && sudo java -jar servermanager.jar && xhost -

to execute the application. This means though, that for the time java is running, access control to the X-Server is disabled.

Granted, this might not be the worst of security issues, but it still got me wondering whether there is a better timed method to execute xhost - immediately after the application has opened its X connection.

TL;DR: How can I execute a command right after a GUI window has opened?

If the app doesn't have to open any more windows you might be able to put the app in the background, wait a few seconds for it to start, then call xhost - — Jeff Schaller, Feb 18 '16 at 11:40
I would have preferred a deterministic trigger but this should work as well... Thank you for the tipp — tannerli, Feb 18 '16 at 12:30
A minor note - if you have binfmt-misc installed (Linux), you can associate Jar files to their interpreter (and most distros will do that by default). So chmod +x servermanager.jar and then you should be able to simply execute ./servermanager.jar. — Toby Speight, Feb 18 '16 at 15:11
This sounds like an XY problem. Why do you want to run xhost +? This is not necessary to run an X application as root. See Can I launch a graphical program on another user's desktop as root? — Gilles 'SO- stop being evil', Feb 18 '16 at 21:34
@gilles it is indeed an XY problem... best would be if our tool ran as normal user in the first place and elevate privileges as needed, but I see your point — tannerli, Feb 19 '16 at 07:09

Toby Speight · Answer 1 · 2016-02-18T15:12:53.063

Local X server

If your X server is local (i.e. Unix socket connection rather than TCP), you could be more fine-grained, and allow only that specific local user:

xhost +SI:localuser:root

X over SSH

If not, you might consider allowing direct SSH to root (using public-key authentication), with X forwarded over this secured connection, and using this as a replacement for your sudo invocation:

ssh -X -f root@localhost java -jar servermanager.jar

.Xauthority and sudo

Assuming root can read your .Xauthority file (likely, unless your home dir is on NFS), then you may find that simply putting XAUTHORITY=$HOME/.Xauthority¹ in the environment of the command run within sudo will allow it to connect:

XAUTHORITY="${XAUTHORITY-$HOME/.Xauthority}" \
  sudo -E java -jar servermanager.jar

If sudo is configured to not allow passing XAUTHORITY, you could explicitly export the token:

.Xauthority and xauth

xauth extract - $DISPLAY | sudo bash -c \
  "xauth merge - && java -jar servermanager.jar"

¹$HOME here is the user's home directory, not root's.

score 0 · Answer 2 · answered Feb 18 '16 at 12:40

0

I put the following in my ~/.bash_aliases

   smg(){
     xhost + 
     sudo echo "Starting servermanager" #To get sudo prompt in fg
     sudo java -jar ~/downloads/servermanager.jar 2>/dev/null &
     sleep 5
     xhost -
    }

answered Feb 18 '16 at 12:40

tannerli

101
1

score 0 · Answer 3 · answered Feb 18 '16 at 13:39

If you have pgrep installed, you could make it more deterministic with something like:

smg(){
  xhost + 
  sudo echo "Starting servermanager" #To get sudo prompt in fg
  sudo java -jar ~/downloads/servermanager.jar 2>/dev/null &
  while  ! pgrep -l servermanager.jar > /dev/null ; do :; done
  xhost -
}

... depending on what the final process name ends up being. If it turns out to fire too quickly, you could always keep a small sleep after the while loop.

Execute command after GUI-application has started

3 Answers3

Local X server

X over SSH

.Xauthority and sudo

.Xauthority and xauth