[SOLVED] Setting Up xauth or xhost

TSquaredF · 10-30-2010, 12:34 PM

from hyperfluid (snipped)

Quote:

... is there a method to automate this procedure properly when logging in/starting X?

There are probably several ways, but here is how I did it after reading this thread through. I use KDE, so you may have to modify it for your desktop.
Create a file named "x4su.sh" in /home/youruser/.kde/Autostart. This file should contain the lines:

#!/bin/bash
xauth extract /tmp/x4su $DISPLAY

Make the file executable.
Non-login consoles such as xterm/konsole programmatically source ~/.bashrc, so as root, add the line:

xauth merge /tmp/x4su

to the bottom of /root/.bashrc. Create the file if it doesn't exist.
Now when you log in to KDE, the display cookie will be exported to /tmp/x4su & when you open a terminal as root, that file will be merged with /root/.Xauthority.
This works for me, but, as stated, you may have to do some modifications, depending on DE used, etc.
Regards,
Bill

GazL · 10-30-2010, 05:03 PM

Running stuff as root isn't all that hard anyway because it can just use the existing Xauthority file directly
Just add an alias as follows to your bashrc and away you go.

Code:

alias rootxterm='su -l root -c "XAUTHORITY=$HOME/.Xauthority DISPLAY=:0 xterm"'

Things get far more involved when you start dealing with running non-root stuff from a non-root desktop because neither end can access each others files. You can always do the extract and import from a temporary file as TSquared has done above but you need to be careful with permissions to keep it secure while still allowing the users that you actually want to be able to use it to do so.

Anyway, as a quick proof of concept I knocked up a sudo based solution for transferring the xauth records:

This code is just a proof of concept. It needs a lot of error checking and input validation to make it safe to use!!
/usr/local/bin/share_xauth:

Code:

#!/bin/bash
#
#  Will share Xauthority entries for the current display with
#  other local users securely.
#
#  Usage:
#         sudo share_xauth user1 user2 user3 ...
#
#  
IFS=""
PATH="/usr/bin:/bin"

for destUser in "$@"
do
  if [ "$destUser" != "" ] ; then
     newAuthFile="/home/${destUser}/.Xauthority"
     /usr/bin/xauth -f "/home/$SUDO_USER/.Xauthority" extract - "$DISPLAY" \
        | /usr/bin/xauth -f "$newAuthFile" merge -
     chown "${destUser}:users" "$newAuthFile"
  fi
done

It'll need a corresponding sudoers entry, something like

Code:

%users  ALL=(root) NOPASSWD: /usr/local/bin/share_xauth

Theory being, put a "sudo share_xauth user1 user2" in any of your desktop startup files and you selectively get to grant access to your X Display to other local users accounts without any intervention and no need for temporary files.

There are probably better ways of doing this, but I can't think of one right now.

hyperfluid · 10-31-2010, 06:02 AM

Thank you both,

TSquared's method works fine, since I just need root to access the display right now.

But I will keep GazL's second solution in mind, if I will come across such a more sophisticated situation.

Enjoy the rest of the weekend,
Michael

qweasd · 10-20-2012, 09:39 PM

Quote:

Originally Posted by GazL

Running stuff as root isn't all that hard anyway because it can just use the existing Xauthority file directly
Just add an alias as follows to your bashrc and away you go.

Code:

alias rootxterm='su -l root -c "XAUTHORITY=$HOME/.Xauthority DISPLAY=:0 xterm"'

Things get far more involved when you start dealing with running non-root stuff from a non-root desktop because neither end can access each others files. You can always do the extract and import from a temporary file as TSquared has done above but you need to be careful with permissions to keep it secure while still allowing the users that you actually want to be able to use it to do so.

Anyway, as a quick proof of concept I knocked up a sudo based solution for transferring the xauth records:

This code is just a proof of concept. It needs a lot of error checking and input validation to make it safe to use!!
/usr/local/bin/share_xauth:

Code:

#!/bin/bash
#
#  Will share Xauthority entries for the current display with
#  other local users securely.
#
#  Usage:
#         sudo share_xauth user1 user2 user3 ...
#
#  
IFS=""
PATH="/usr/bin:/bin"

for destUser in "$@"
do
  if [ "$destUser" != "" ] ; then
     newAuthFile="/home/${destUser}/.Xauthority"
     /usr/bin/xauth -f "/home/$SUDO_USER/.Xauthority" extract - "$DISPLAY" \
        | /usr/bin/xauth -f "$newAuthFile" merge -
     chown "${destUser}:users" "$newAuthFile"
  fi
done

It'll need a corresponding sudoers entry, something like

Code:

%users  ALL=(root) NOPASSWD: /usr/local/bin/share_xauth

Theory being, put a "sudo share_xauth user1 user2" in any of your desktop startup files and you selectively get to grant access to your X Display to other local users accounts without any intervention and no need for temporary files.

There are probably better ways of doing this, but I can't think of one right now.

Stealing the cookie seems like a lot of trouble. After digging for a while I found this:

Code:

xhost si:localuser:root

which is run by a user who wants to let the root to connect to X. How safe is that, I wonder?

GazL · 10-21-2012, 06:19 AM

Yes, I think I've posted on LQ about 'si:localuser' before. The post you quoted is a couple of years old now. I don't know when the server interpreted localuser security extensions were added to X.org, but if it did exist back when I wrote that, then I certainly wasn't aware of it.

The above script has the advantage of also working with non-local Xserver displays so it's not completely obsolete, but for a locally hosted display the si:localuser stuff will do the job nicely.