?

Log in

No account? Create an account
gwen
gwenix
. ..: .: ..::.: ..:.:.....: ...::: ...::.


April 2011
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

gwen [userpic]
gwen's Daily Tweets

  • 10:42 Freecycle is making me very happy this week. Yay outgoing stuff!
  • 11:46 Pondering my lunch options.
  • 16:09 question to the geeks: I can open an xterm as root, but when I su to a user, I get "xterm Xt error: Can't open display: %s" Any ideas?
  • 17:08 heh, on bus and on wireless.
Automatically shipped by LoudTwitter

Comments

By the by, the cut is making me a whole lot less likely to view these now. An extra click is just enough hassle to put me off :P.

*shakes fist at those who couldn't just scroll past*

Oh and about the xterm thing... you're obviously getting to root via a path that preserves, or tunnels, the DISPLAY setting. But when you su to another user 1) it could well have lost the value of DISPLAY and 2) even if it didn't the perms will almost certainly be such that this 'random user, not root' can't access it anyway.

There's no way I can think of to do this if you need root->peon 'su' semantics. If you actually know their password or can arrange it to work via .ssh/authorized_keys then you can "ssh user@localhost" instead.

Yah, the point was to test the user's setup, which was failing.

And no, I do not have their password. Duh.

I'm just having them test it now... if they'd ever get back to me.

Oh, and now I think of it, if you're willing to drop some security for this you can just use xhost to grant the other user permission to access your display.

If some ssh'ing is involved first then it gets a bit more complex.

Yah, ssh'ing through a gateway machine, and then to the end host.

1) Be logged into local machine with X active, open an xterm/similar
2) In there: ssh -X (user@)gateway
3) On there ssh -X (user@)endhost
4) Now to let another user on endhost use the display:
4a) xauth list <-- hopefully just the one easily identified line, copy it into a local editor window
4b) xhost +otheruser@endhost
4c) echo $DISPLAY <--- copy this value into the editor window too
5a) su - otheruser
5b) xauth add

[Error: Irreparable invalid markup ('<copied [...] 'xauth>') in entry. Owner must fix manually. Raw contents below.]

1) Be logged into local machine with X active, open an xterm/similar
2) In there: ssh -X (user@)gateway
3) On there ssh -X (user@)endhost
4) Now to let another user on endhost use the display:
4a) xauth list <-- hopefully just the one easily identified line, copy it into a local editor window
4b) xhost +otheruser@endhost
4c) echo $DISPLAY <--- copy this value into the editor window too
5a) su - otheruser
5b) xauth add <copied value from 'xauth list'>
5c) export DISPLAY=<copied value>
5c) xterm/other X app

In your case I assume that at step 3 (and 2?) you're ssh'ing to root@. Steps 4 and 5 are the ones that get things set up so the 'otheruser' can actually use the ssh channel back to your local X display.

Oh and the "-X" on the ssh's is un-necessary if your config is setup to default-allow X11 forwarding, but I find that unwise from a security PoV :).

I know. :p

I'd been able to open an xterm as far as being root on the end system, but after I su - [user], no dice. No matter now, the user reported back and I managed to fix her setup blind anyway. :)

See other (LJ unhappy about pointy braces for markup) comment about how to let you use X as the other user. Basically a mix of xauth, xhost and setting DISPLAY.

no ssh to root.

ssh me@gateway
ssh -X me@endhost
sudo -s
su - [user]

It's only the last step where I lose the X.

Hmmm, the method *should* work anyway, as it's explicitly just letting 'otheruser' use the ssh-backchannel for X11. DISPLAY tells it where to attempt X11 use and the xauth+xhost bits grant it permission.