Using a GUI application as another user
You may have noticed in the discussion of the
su command in the previous
section that we ran only commands that displayed output in the
terminal window. Usually you will be able to run GUI commands too. For
example, some installation programs require you to have root authority
to install a program and have a GUI installer. If you find you cannot
start GUI applications as another user, then read on, as you may have
to take additional steps on some distributions in order to run GUI
applications as another user.
Note: Recent distributions often let you have multiple desktops open at once and switch between them using a key sequence such as Ctrl-Alt-F7 or Ctrl-Alt-F8. Depending on what you need to do, this may be another alternative. See the section on Logout for details on this menu option.
GUI applications on Linux use the X Window System, a client-server system designed to allow multiple users to access a computer across a network using windowed applications. An X display is known by a name of the form hostname:displaynumber.screennumber. For Linux running on a workstation such as a PC, there is typically only one display with a single screen. In this case, the displayname may be, and usually is, omitted so the display is known as :0.0, or sometimes just :0.
The X Window System server needs to know the display and also whether you are authorized to connect to the server. Authorization is most commonly done using the MIT-MAGIC-COOKIE-1, which is a long random string that is regenerated whenever the server is reset. So that applications can pass this information to the X server, you will have DISPLAY and XAUTHORITY variables set in your environment. The XAUTHORITY variable will point to a file that is usually only able to be read or written by the owning user as a security precaution. We assume you are using a graphical login if you are reading this, so your startup should have already set these for you. The example in Listing 6 is from our Ubuntu system and shows the values of the DISPLAY and XAUTHORITY variables as well as the ownership for the file pointed to by the XAUTHORITY variable.
Listing 6. DISPLAY and XAUTHORITY
ian@pinguino:~$ echo $DISPLAY :0.0 ian@pinguino:~$ echo $XAUTHORITY /var/run/gdm/auth-for-ian-WoeKHn/database ian@pinguino:~$ ls -l $XAUTHORITY -rw------- 1 ian ian 53 2011-04-01 16:24 /var/run/gdm/auth-for-ian-WoeKHn/database
Now we attempt to use
sudo to run the
xclock command as user
editor, again on our Ubuntu system. As
Listing 7 shows, the
values for DISPLAY and XAUTHORITY variables are the same as for user
ian, but the
xclock command fails.
Listing 7. DISPLAY and XAUTHORITY with sudo
ian@pinguino:~$ sudo -u editor echo $DISPLAY [sudo] password for ian: :0.0 ian@pinguino:~$ sudo -u editor echo $XAUTHORITY /var/run/gdm/auth-for-ian-WoeKHn/database ian@pinguino:~$ sudo -u editor xclock No protocol specified Error: Can't open display: :0.0
In this case, user
editor has the XAUTHORITY
variable set to /var/run/gdm/auth-for-ian-WoeKHn/database, but we
already saw that the permissions on that file only allow user
ian to read or write it. The variable may
as well not be set if user
read the file it points to. Before we look at how to address this
issue, let's look at what happens if we unset either the DISPLAY or
XAUTHORITY variables for user
do this by running the
xclock command with
an environment variable modified using the
-u option to unset an environment
variable before running
xclock. Our results
are in Listing 8.
Listing 8. Unsetting DISPLAY and XAUTHORITY
ian@pinguino:~$ env -u DISPLAY xclock Error: Can't open display: ian@pinguino:~$ env -u XAUTHORITY xclock
You may be surprised to see that the
command runs, even though we unset the XAUTHORITY environment
So far, we have mentioned the MIT-MAGIC-COOKIE-1 security method. If
the token is not provided, the X server will also check a list of
authorized hosts. Use the
xhost command to
display or update the list. Use the
option to add entries and the
- option to
remove entries. Use the special family entry
local: (note the ':') to allow access to
the display by any local user on the system. Since you are a single
user system, this means that you can su to an arbitrary non-root user
and can now launch
xclock or other X
applications. We illustrate the use of the
xhost command in Listing 9.
Listing 9. Using xhost
ian@pinguino:~$ xhost access control enabled, only authorized clients can connect SI:localuser:ian ian@pinguino:~$ xhost +local: non-network local connections being added to access control list ian@pinguino:~$ xhost access control enabled, only authorized clients can connect LOCAL: SI:localuser:ian ian@pinguino:~$ sudo -u editor xclock ian@pinguino:~$ # Close the xclock window to return here ian@pinguino:~$ xhost -local: non-network local connections being removed from access control list ian@pinguino:~$ xhost access control enabled, only authorized clients can connect SI:localuser:ian
On a single user system, enabling the display for use by all local
users is usually a reasonable and simple solution. If you need to be
more restrictive, use the
xauth to extract
the cookie from your XAUTHORITY file and give it to the user who needs
access to the display. In Listing 10 we perform the following tasks:
ianto display the cookie in a format that can be emailed or otherwise sent to the desired other user.
sudo -sand switch to user
editorto run several commands.
xauthto create a new authorization file. Note that we used
echoto pipe the data to stdin while splitting the command over several lines by using a trailing backslash (\).
- We export a new value for the XAUTHORITY variable so it now points to our newly created authorization file.
- Finally, we run the xclock command using a trailing ampersand (&) to run it in the background and retain control of our terminal window.
Listing 10. Using xauth
ian@pinguino:~$ xauth -f $XAUTHORITY nextract - :0 0100 0008 70696e6775696e6f 0001 30 0012 4d49542d4d414749432d434f4f4b49452d31 0010 3c4bc87 c2ce4ce5e97f8199c213b4ec9 ian@pinguino:~$ sudo -s -u editor editor@pinguino:~$ echo "0100 0008 70696e6775696e6f 0001 30 0012"\ > " 4d49542d4d414749432d434f4f4b49452d31"\ > " 0010 3c4bc87c2ce4ce5e97f8199c213b4ec9" | > xauth -f ~editor/temp-xauth nmerge - xauth: creating new authority file /home/editor/temp-xauth editor@pinguino:~$ export XAUTHORITY=~editor/temp-xauth editor@pinguino:~$ xclock&  4827
This brief introduction will probably get you started with running X
applications as another user. Although we have used Ubuntu as an
example, the basic principles we have demonstrated here apply to all
distributions. For more details on using the
commands, you can use any of these commands as appropriate to view the
online manual pages: