2

Possible Duplicate:
Can I launch a graphical program on another user's desktop as root?

I'm trying to do the equivalent of: 

$ sudo -u myuser DISPLAY=:1 xterm

However, it give me the following error

Client is not authorized to connect to Server

On the other hand, I can do this just fine:

$ sudo -u -i myuser
$ DISPLAY=:1 xterm

Why isn't the X server allowing me to launch an X11-based app directly as a different user, and is there any way I can explicitly allow this?

Community
  • 1
Lorin Hochstein
  • 8,285
  • I'm not sure if this still applies, but back in the old days you need to allow a certain host to display anything on the screen. This was done with "xhost +remote_host". Not sure if that plays well with sudo and it might open up a few other problems. – Alexander Janssen Oct 03 '12 at 18:35
  • 1
    @Alex xhost +localhost would allow any local user to connect to the X server. It only works if the X server accepts TCP connections, which is often not the case nowadays. – Gilles 'SO- stop being evil' Oct 03 '12 at 22:45

2 Answers2

2

Allowing another user to connect to your X server means that he can see your screen, see what you're typing (like passwords), kill your applications (by terminating their connection to the X server) and thus log you out if he kills your window manager, lure you with fake windows... With that in mind, it's easy to understand why it's not allowed by default.

To allow another user access to your X server, you can either give him the access code for your server (see the output of xauth list "$DISPLAY" or if the other user is local, run xhost +si:localuser:myuser

Stéphane Chazelas
  • 544,893
1

If you have either myuser's password or a key in myuser's ~/.ssh/authorized_keys, and your system doesn't support the xhost +si:localuser syntax, you could try ssh -X myuser@localhost xterm

The -X enables X forwarding over that ssh connection, creating a new virtual X server, only accessible to that other user, that forwards requests to your X server without opening it up to any process run by any user on the system which is what usually happens when xhost meets urgent-need or laziness or ICBFRTFM resulting in xhost +localhost.

That method also works (and shows its full potential) when the user is on a remote machine.

There's some overhead in forwarding X over ssh like this, but unless you're running something intensively graphical (like a 3D game), you're not likely to notice any performance drop. Adding the -o Ciphers=arcfour option to ssh may improve performance.

(BTW, I have run 3D programs like second-life clients over an ssh -X connection like this, connecting to another machine on my home LAN. it's not great, but it works well enough for testing purposes)

Stéphane Chazelas
  • 544,893
cas
  • 78,579
  • 1
    That's not true, any random process of myuser can use that forwarded display. And ssh will happily forward any connection to your X server (including from xkill, xinput...) – Stéphane Chazelas Oct 03 '12 at 22:55
  • yes, you are right. i should RTFM myself before writing :). I still think ssh is more convenient and useful than manually setting xauth, especially when connecting to other hosts on the LAN (or elsewhere on the internet). – cas Oct 03 '12 at 23:27