how to use xauth to run graphical application via other user on linux

Question

My regular user account is, let's say, user1. I created separate user2 for some x application that i would like to run while being logged into x as user1 but in a way that will prevent it from read/write access to user1 data. I thought that i could use xauth and sudo/su to user2 from user1 to run this application. How do i do this? I'm not sure how to configure xauth.

score 45 · Answer 1 · answered Aug 07 '09 at 18:11

To use xauth selectively, as user1 run:

xauth list|grep `uname -n`

This prints the hexkey authorization entries for you . You could have different displays associated with those hosts as well.

As user2 set your display (assuming default case):

DISPLAY=:0; export DISPLAY

Then run:

xauth add $DISPLAY . hexkey

Note the dot after the $DISPLAY and before the hexkey.

When access is no longer needed, as user2 you can run:

xauth remove $DISPLAY

score 19 · Answer 2 · answered Jan 14 '11 at 17:54

19

I put in my .zshrc a line with export XAUTHORITY=~/.Xauthority and now I am able to execute sudo -E xcommand. After a lot of googling, for me this was the easiest way.

answered Jan 14 '11 at 17:54

kfl62

301

sleske · Answer 3 · 2017-02-16T09:50:06.383

First: Don't use xhost +, it's rather insecure (blanket allow/deny).

Rather use the X-Cookie mechanism:

su user2
cp /home/user1/.Xauthority /home/user2/.Xauthority 
export DISPLAY=:0

Alternatively, if you have sux installed, use that (see ehempel's answer).

In both cases user2 will use the secret cookie in .Xauthority to authorize to the X server, and no one else will have access to it.

Notes:

Depending on your file permissions, you might have to copy .Xauthority in some other way.
Instead of copying .Xauthority, you can also use xauth to extract and copy the authorization key (see Randall's answer). If you have multiple keys in the .Xauthority file this is more selective; otherwise it is a matter of taste.

score 8 · Answer 4 · answered Aug 07 '09 at 02:18

8

Assuming debian or ubuntu (should be similar on Red Hat / SUSE).

sudo apt-get install sux
sux user -c 'command'

answered Aug 07 '09 at 02:18

ehempel

143

score 8 · Answer 5 · answered Sep 08 '15 at 09:26

8

As root:

xhost local:yourusername

Where yourusername is your user name :)

Then do su as your user xclock should work if it's installed

answered Sep 08 '15 at 09:26

ACV

211
2
3

score 7 · Answer 6 · answered Feb 04 '11 at 18:48

7

This will fix the problem for all users:

cat <<EOF > /etc/profile.d/xauth.sh
#!/sbin/bash
export XAUTHORITY=~/.Xauthority
EOF

answered Feb 04 '11 at 18:48

JMS

71

score 3 · Accepted Answer · answered Aug 06 '09 at 23:44

3

I found something that works great for me on KDE

kdesu -u username /path/to/program

answered Aug 06 '09 at 23:44

Phil

2,119

alex · Answer 8 · 2021-02-28T10:54:27.933

2

Some other options:

xauth + (unsecure) (doesn't work on recent versions of xauth)
ssh -X user2@localhost (ugly, but might be simpler to get to work than direct authentication)

edited Feb 28 '21 at 10:54

answered Aug 06 '09 at 17:55

alex

1,329

score 1 · Answer 9 · answered May 04 '24 at 09:01

1

#1 Give full access to user2
xhost +SI:localuser:user2

#2 Switch to user2 and run firefox
sudo -u user2 firefox

This is what works for me.

answered May 04 '24 at 09:01

user206746

186

score 0 · Answer 10 · answered Jul 25 '13 at 21:26

This way made in suse/opensuse : http://www.novell.com/support/kb/doc.php?id=7003743

Simply modifying the /etc/pam.d/su, adding the option (bold) :

session optional pam_xauth.so systemuser=1

Then you can switch with su without - :

su user2

and run the app graphically.

score -2 · Answer 11 · answered Sep 27 '17 at 17:59

-2

For GNOME (and without any desktop environment really, I use it with icewm only) gksu:

gksu -u username program

answered Sep 27 '17 at 17:59

Matija Nalis

2,512

how to use xauth to run graphical application via other user on linux

11 Answers11

Linked