On my Debian system root can automatically run X-Apps (after an su). I was
wondering why but haven't figurerd it out yet. It's not what I was used to
before.
I think you did `su', not `su -'.
A mere `su' merely changes your identity, but the environment stays the
same. In particular $HOME. So when you launce an X-appl, the authorisation
cookie is read from /home/other-user/.Xauthority, and you really being root
and allowed to read anything this works.
A `su -' on the other hand behaves like you logon, so $HOME now points
to root's home dir and X tries to read /root/.Xauthority. Unless you've
merged in the .Xauthority from the user you su-ed from this will fail.
Simply running `xauth merge /home/other-user/.Xauthority' fixes this for
as long as the X-cookie of that other user doesn't chance.