Re: The best recommendation for allowing "su" in X
On Sun, 7 Jul 2002, Osamu Aoki wrote:
> Here is the back ground. FAQ is:
> "I want to run X from a user account. It is a good thing. But how can
> I get a program which requires root privilege to run from this X
> Answer is simple and I know this:)
> "export XAUTHORITY=$HOME/.Xauthority"
I like it better to run "xauth merge ~<USER_RUNNING_X>/.Xauthority" once
after "su -"ing this will import the users keys into root's .Xauthority.
On some machines I have put the following in /etc/sudoers:
Cmnd_Alias ROOTXTERM=/usr/X11R6/bin/xauth -f /root/.Xauthority merge *,
/usr/bin/aterm -[Tnlbtd]*, /usr/X11R6/bin/xterm -[Tnlbtd]*
This allows me to run the following commands from a script I called
# Ask for the users password
xterm -T 'Root Login:' -e /usr/bin/sudo -p 'Password for \%u\@\%h:' -H \
xauth -f ~root/.Xauthority merge $XAUTH"
# Start an xterm as root
/usr/bin/sudo -H -b xterm -bg Mistyrose -T Root@`hostname -f` -n Root -ls "$@"
The Cmnd_Alias doesn't allow to abuse the initial xterm call for running
arbitrary commands using the -e switch. You must start the xterm first
and then you can enter the commands you like. The Host_Alias restricts
the ability to start the xterm to the localhost only.
Obviously this is still a security hole, albeit a small one, because
you need an ordinary users password to become root, but only if you
have physical access to the machine.
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com