[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: allowing root to display to a user's X session

DvB <dvanbalen@jam.rr.com> writes:
> David Wright <ichbin@shadlen.org> writes:
> > When troubleshooting on RedHat, I often log in to a X session as a user,
> > then su to root in an xterm and run ethereal (a packet-sniffer with GUI)
> > to watch the network traffic that results from my actions as a user.
> > 
> > I would like to do this on Debian, but when I try to start ethereal, I get
> > the error message:
> >   Xlib: Client is not authorized to connect to Server
> > Apparently root is not allowed to display to a user's X session. How can I
> > allow this?
> 'xhost +localhost' should fix the problem (this allows connections to
> your x session from your local machine).

If you use this just make sure you're the only one on the machine, or
that everyone that has an account on your machine is "trusted". It
completely opens up your entire X session to anyone on
"localhost". Nothing wrong with that, as long as you're aware that
that is the case.

My preferred solution is to su to root and do:

export XAUTHORITY=~myusername/.Xauthority ;export DISPLAY=:0.0

I think there are still some security concerns even with this, but
it's better than "xhost + localhost", as far as security goes anyway.

The other option is to get the "Magic Cookie" of your xsession. The
sequence would be something like:

% xauth list
junk/unix:0 MIT-MAGIC-COOKIE-1  a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7 MIT-MAGIC-COOKIE-1  a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7
% su -
root% xauth add MIT-MAGIC-COOKIE-1 a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7
root% export DISPLAY=

I think that's the best approach if you're up-tight about security. Of
course if you're really up-tight about security you wouldn't be using X
at all! ;)


Reply to: