Windows of different users in one xsession?
Hi
Is it possible to view and control windows of different users on one X session? Example: user1 logs in to kde and can now start using gui programs like "xcalc". user1 can start up a terminal as well and run su user2 Now being user2 he can try to start the gui program "kwrite", but what I get then is this error message: "bash-4.2$ kwrite No protocol specified kwrite: cannot connect to X server :0.0 bash-4.2$" Is there a way to make this error message disappear and show the window of kwrite instead (run by user2) ? Then there would be windows of two different users visible and controllable (xcalc by user1 and kwrite by user2). Yes, I know, I can start multiple xsessions in parallel and switch back and forth using ctrl+alt+F7 etc., but I wonder about having all windows on one screen. Something similar to what I am looking for is the behavior of the ssh -Y command (in that case I also have windows of two different users (of two different computers even!) on my screen). Thanks in advance Volvox |
yes you could use ssh -X or -Y to accomplish this, remember ssh does not care if you are local or remote.
|
The reason su by itself cannot do it is because the ownership of the access keys to the display belong to user1. IF user2 could access them, it would work - but then the real user2 could ALSO access them, which would be a security failure.
The ssh technique works because a new key is given to user2 that only works through the ssh connection. When the user2 logs out (terminates the ssh link), that key becomes useless; so the real user2 is prevented from doing things to the display. He still can... but there are things that are blocked (such as starting a screensaver that would prevent user1 from doing anything at all). User1 IS still vulnerable, but not to trivial screen locking - the real user2 could log in and start a display/key/mouse tracking application for instance... But this gets cut off when the ssh session is terminated. |
I think you can do this with xhost, take a look at the xhost man page.
|
xhost would allow it... but only by opening up the display to EVERY user.
And the only way to stop a display/keyboard/mouse tracker/logger is to logout. |
Actually the way im reading the xhost man page you can allow access by name, eg, someuser@somehost or
Check the NAMES section of the man page. |
|
Quote:
Neither is commonly available. The need for an encrypted TCP connection is because the credentials are passed unencrypted... Normally, the X tcp socket is not enabled either - due to the insecurity. And if you notice - it still opens up the server to anything from user2. |
All times are GMT -5. The time now is 12:46 PM. |