LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 01-11-2006, 10:37 AM   #1
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Rep: Reputation: 49
Give root access to user's display + sudo problems


Using debian, and I have debconf configured to use Qt to display questions or notices. However, since I can only run apt-get, dpkg, etc as root I always get
Code:
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified
X is running on display :0 as far as the $DISPLAY variable can tell. My question is: how can I give root access to use it?

I thought of using sudo instead of having a terminal running as root. However, even after adding "ephracis ALL = (ALL) ALL" I keep getting "Sorry, try again" after typing the correct password. Is there some rehashing or such I don't know about? Have been using normal vi to edit /etc/sudoers but I also tried using visudo, nothing helped.

Thanks..
 
Old 01-11-2006, 11:32 AM   #2
Bruce Hill
HCL Maintainer
 
Registered: Jun 2003
Location: Tupelo, MS
Distribution: Gentoo
Posts: 6,926

Rep: Reputation: 124Reputation: 124
I don't think root can access user's display. Perhaps I'm wrong.
I think only the user logged in can launch the X server.

For the sudo issue, this is the setup:
Code:
root@silas:~# cat /etc/sudoers
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Runas alias specification

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

# Same thing without a password
 %wheel ALL=(ALL)       NOPASSWD: ALL  <--- uncomment this line 

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now
Put All in the wheel group with no password, then add
your user to the group wheel by issuing as root, "vigr"
and you should be all set.
 
Old 01-11-2006, 11:44 AM   #3
reddazz
Guru
 
Registered: Nov 2003
Location: N. E. England
Distribution: Fedora, CentOS, Debian
Posts: 16,298

Rep: Reputation: 73
The problem with using the wheel group is that anyone who is in there has full root privileges so someone only needs to access one user account to have full access to the entire system.
 
Old 01-11-2006, 11:47 AM   #4
Bruce Hill
HCL Maintainer
 
Registered: Jun 2003
Location: Tupelo, MS
Distribution: Gentoo
Posts: 6,926

Rep: Reputation: 124Reputation: 124
That's why we create good passwords...
 
Old 01-11-2006, 12:23 PM   #5
abisko00
Senior Member
 
Registered: Mar 2004
Location: Munich
Distribution: SuSE, Ubuntu
Posts: 3,511

Rep: Reputation: 58
Ephracis:
In KDE, you may be able to use kdesu to start x applications as root (it may be a SUSE tool, though). Another option is to use ssh, which allows root access to the x server on some systems. You can also use xhost +localhost to share the display with all local users.

Last edited by abisko00; 01-11-2006 at 12:33 PM.
 
Old 01-11-2006, 03:39 PM   #6
Vgui
Member
 
Registered: Apr 2005
Location: Canada
Distribution: Slackware
Posts: 496

Rep: Reputation: 31
root is able to access any display, as long as X server is set to allow it. Set root's DISPLAY variable, as it appears you have. Then the key is to enter "xhost +127.0.0.1" to a console. This will allow all local X connections, and should get rid of that "refused by server" message, and allow root to popup windows on the 0.0 session of X.
 
Old 01-11-2006, 04:42 PM   #7
reddazz
Guru
 
Registered: Nov 2003
Location: N. E. England
Distribution: Fedora, CentOS, Debian
Posts: 16,298

Rep: Reputation: 73
On some distros "xhost +localhost" or "xhost +IPADDRESS" don't work if you use "su -" to switch to root, but work fine if you just use "su". If you need to run X as root from other hosts, you can do "xhost +".

Quote:
Originally Posted by Chinaman
That's why we create good passwords...
I see. I guess all those systems that get cracked are not using strong passwords.
 
Old 01-11-2006, 04:53 PM   #8
Ephracis
Senior Member
 
Registered: Sep 2004
Location: Sweden
Distribution: Ubuntu, Debian
Posts: 1,109

Original Poster
Rep: Reputation: 49
ksudo worked, as long as the program I was running was graphical, since it did not send any output to the terminal.
It seems that sudo cannot work with passwords enabled. It worked fine with the "NOPASSWD:" but with it I get "Sorry, try again" messages. This is bad since I don't want to make ephracis == root.

I added 127.0.0.1 and localhost to the accesslist with xhost, which didn't work. However, root could access X if I gave every host access to it with "xhost +". This is not good enough to me, since I don't want to disable the accesslist control.

Any suggestions?
 
Old 01-11-2006, 05:15 PM   #9
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
if you only want to allow root instead of everyone, as root run:

Code:
/usr/X11R6/bin/xauth merge ~username/.Xauthority
Where username is the ordinary user who currently owns the display. I don't know why, but sometimes my .Xauthority file has its permissions changed by this. You may also have to run:

Code:
chown username:usernames ~username/.Xauthority
 
Old 01-11-2006, 05:16 PM   #10
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
If you want to be logged on to the console as a normal user and using a GUI and run an X application as root then you want to use the sux utility. After looking around the Debian web site I found that the Debian etch release, which you are apparently using, is currently in testing. I checked the packages for this release and sux is available.

http://packages.debian.org/testing/admin/

It is also available for the stable sarge release.

http://packages.debian.org/stable/admin/

You use sux in a terminal window. Sux is just the su command for X. When you use this you need to define the DISPLAY environment variable once you have switched users. I just put this in my root account's $HOME/.bashrc file.

DISPLAY=":0.0"

I love it. I can be logged on at the console as a normal user and still run Ethereal or tcpdump or netstat -a or whatever needs privileges. You can be browsing the Internet as a normal user and still have privileged software running. This is helpful if you are getting instructions from an Internet site about doing some task that needs privileges. Keep in mind, though, that the privileged processes still share the same X display, so that could be a security issue. If you have things displayed on your console from an application running as root that shouldn't be shown to the Internet then you might not want to do this. However, I do this all the time. I'm not too concerned about a malicious web site or whatever copying the X display from my machine. On the other hand a few months ago I received several emails that contained strange gif files that mapped a piece of the video display. Clearly these emails could have copied the partial display to some remote site. Be careful and you should be okay.

This is what I typically do. Open a Konsole terminal window then enter the following commands to run Ethereal.

sux -
password:
ethereal 2>/dev/null &

This keeps the nasty X error messages off of your Konsole window and allows you to run more than one application as root. This also works great if you have other normal user accounts. You can sux - <user> and run X applications as that user. I use this to keep my business information in a different user account that never accesses the Internet. My Internet access account cannot see into the business account's home directory. I can log on to the business account using sux and run Kontact, Kmail, Koffice, and other applications.

I almost forgot. The su and sux commands are different than sudo. When you use sudo you enter your normal user account password. When you use su and sux you enter the password of the account that you are switching to.

Last edited by stress_junkie; 01-11-2006 at 06:30 PM.
 
Old 01-11-2006, 08:11 PM   #11
Bruce Hill
HCL Maintainer
 
Registered: Jun 2003
Location: Tupelo, MS
Distribution: Gentoo
Posts: 6,926

Rep: Reputation: 124Reputation: 124
Quote:
Originally Posted by reddazz
I see. I guess all those systems that get cracked are not using strong passwords.
Let's not talk hypothetical, such as "all those systems that get cracked."

I have NEVER had a system cracked, and I use passwords that won't be
broken by some little script kiddie on the net. If you are using a password
that cannot be broken by a dictionary editor (I am), then with the default
install of Slackware, updated by the patches Pat releases, you should have
no worry about a cracker.

Give proof otherwise. I'm tired of people crying wolf with no substantiation.
The fact of the matter is that a default install of Slackware, without systems
running that aren't used and hardened, is quite secure.

I welcome all kiddies who want to try to break into ANY of my 6 Slackware
boxen. No one's done it yet, and where I live, it's tried often.
 
Old 01-11-2006, 11:22 PM   #12
reddazz
Guru
 
Registered: Nov 2003
Location: N. E. England
Distribution: Fedora, CentOS, Debian
Posts: 16,298

Rep: Reputation: 73
Quote:
Originally Posted by Chinaman
Let's not talk hypothetical, such as "all those systems that get cracked."

I have NEVER had a system cracked, and I use passwords that won't be
broken by some little script kiddie on the net. If you are using a password
that cannot be broken by a dictionary editor (I am), then with the default
install of Slackware, updated by the patches Pat releases, you should have
no worry about a cracker.

Give proof otherwise. I'm tired of people crying wolf with no substantiation.
The fact of the matter is that a default install of Slackware, without systems
running that aren't used and hardened, is quite secure.

I welcome all kiddies who want to try to break into ANY of my 6 Slackware
boxen. No one's done it yet, and where I live, it's tried often.
Just because you have not been affected by something does not mean that it cannot happen or won't happen. You may have lots of confidence in yourself and know these potential problems but others may not and thats why I have pointed out one of the potential risks of using the wheel group even if you have a strong password.
 
Old 01-11-2006, 11:25 PM   #13
Bruce Hill
HCL Maintainer
 
Registered: Jun 2003
Location: Tupelo, MS
Distribution: Gentoo
Posts: 6,926

Rep: Reputation: 124Reputation: 124
Perhaps this discussion belongs in a different place...

Last edited by Bruce Hill; 01-12-2006 at 01:07 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to give apache root access Roll Linux - Software 2 03-02-2005 07:55 AM
Give Root Access To A Normal User waknauss Linux - Security 2 11-11-2004 09:00 AM
What command will give me root access from the gui? Thaidog Linux - Newbie 9 09-21-2004 09:39 AM
Sudo User's LinuxRam Linux - General 5 08-19-2004 11:49 AM
how to give root ftp access blaha Linux - Software 3 05-30-2003 09:09 PM


All times are GMT -5. The time now is 02:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration