On 9 Dec 2023 04:37:09 GMT Robert Riches wrote:--
On 2023-12-08, Markus Robert Kessler <no_reply@dipl-ing-kessler.de>
wrote:
Hello everyone,
I'm just trying to switch the current user and then invoke some X11
application, but this does not work.
On Redhat-based machines this never was a problem and I need this
means to keep my axxounts separate from each other for security
reasons. E.g., I do a
'su - bank'
and after loggin in I can invoke 'chromium-browser
https://pathtoonlinebanking'
Now I see, that Debian-based Raspbian OS and Ubuntu (23.10) behave
very similar, it looks like this:
$ su - test1 Passwort:
$ firefox Error: no DISPLAY environment variable specified
$ DISPLAY=':0.0' firefox Authorization required, but no authorization
protocol specified
On Raspbian and on Ubuntu the same lets me assume that it was not me
to misconfigure something.
Can this be fixed easily? - Thanks!
Best regards,
Markus
It sounds like you're running into the XAUTH system.
Normally, in the home directory of the user who's running X stuff there
is a file called ".Xauthority", and environment variable XAUTHORITY
holds the full, absolute path to that file.
In order for user B to run X clients/apps when user A is the one who
started the X server, user B must set environment variable XAUTHORITY
to a file which user B has permission to read and which has the same
contents as user A's ~/.Xauthority.
How you get that file and environment variable set depends on your use
case. I run my web browsers, gimp, and a few other programs as a
different user for security and a few other reasons. I have wrapper
scripts that do the file copying,
environment variable setting, and environment variable preservation
across sudo and/or su. For the way I do all that,
user B's only reason for existence is to run browsers and such for user
A, and it's important that user A have write permission to user B's
home directory by means of the g+w permission bit.
Hi,
maybe there's a way around wrapper scripts?
I am wondering, why on Redhat-based systems like Mageia there is no need
for that, instead all this is done in background.
What I found out is, that when switching 'su - newaccount', then
- a file ~/.xauth* (e.g.: .xauthOa9EpX) is automatically created
(by su? by pam?)
- and when either starting x-app like xclock, so this works, or -
deleting this .xauth* and starting x-app, then above error occurs
This looks like su does all this "wrapping" automatically, as long as it
is confugured adequately. Maybe also systemd plays some role here.
Does anyone have more details here?
I am asking, because life would be easier, if this runs automaically :-)
Thanks!
Best regards,
Markus
Hi everyone,
I have suspected pam authentication already, and in the meantime I
compared Mageia and Raspbian more deeply regarding the entries in /etc/ pam.d.
I found out, that adding this line
session optional pam_xauth.so
to the front of /etc/pam.d/su
solves this issue. I've also tested this on Ubuntu successfully.
Now, after su - newuser, invoking an app for X11, like xclock, makes this window open and working.
Finally, big thanks to all of you for this wonderful and highly
interesting discussion!
Nevertheless, it turned out to be a good idea to always handle X / desktop sessions with care.
Sysop: | DaiTengu |
---|---|
Location: | Appleton, WI |
Users: | 915 |
Nodes: | 10 (1 / 9) |
Uptime: | 18:20:12 |
Calls: | 12,168 |
Calls today: | 4 |
Files: | 186,520 |
Messages: | 2,233,845 |