Using a GUI application as another user

You may have noticed in the discussion of the su command in the previous section that we ran only commands that displayed output in the terminal window. Usually you will be able to run GUI commands too. For example, some installation programs require you to have root authority to install a program and have a GUI installer. If you find you cannot start GUI applications as another user, then read on, as you may have to take additional steps on some distributions in order to run GUI applications as another user.

Note: Recent distributions often let you have multiple desktops open at once and switch between them using a key sequence such as Ctrl-Alt-F7 or Ctrl-Alt-F8. Depending on what you need to do, this may be another alternative. See the section on Logout for details on this menu option.

GUI applications on Linux use the X Window System, a client-server system designed to allow multiple users to access a computer across a network using windowed applications. An X display is known by a name of the form hostname:displaynumber.screennumber. For Linux running on a workstation such as a PC, there is typically only one display with a single screen. In this case, the displayname may be, and usually is, omitted so the display is known as :0.0, or sometimes just :0.

The X Window System server needs to know the display and also whether you are authorized to connect to the server. Authorization is most commonly done using the MIT-MAGIC-COOKIE-1, which is a long random string that is regenerated whenever the server is reset. So that applications can pass this information to the X server, you will have DISPLAY and XAUTHORITY variables set in your environment. The XAUTHORITY variable will point to a file that is usually only able to be read or written by the owning user as a security precaution. We assume you are using a graphical login if you are reading this, so your startup should have already set these for you. The example in Listing 6 is from our Ubuntu system and shows the values of the DISPLAY and XAUTHORITY variables as well as the ownership for the file pointed to by the XAUTHORITY variable.

ian@pinguino:~$ echo $DISPLAY
:0.0
ian@pinguino:~$ echo $XAUTHORITY
/var/run/gdm/auth-for-ian-WoeKHn/database
ian@pinguino:~$ ls -l $XAUTHORITY
-rw------- 1 ian ian 53 2011-04-01 16:24 /var/run/gdm/auth-for-ian-WoeKHn/database

Now we attempt to use sudo to run the xclock command as user editor, again on our Ubuntu system. As Listing 7 shows, the values for DISPLAY and XAUTHORITY variables are the same as for user ian, but the xclock command fails.

ian@pinguino:~$ sudo -u editor echo $DISPLAY
[sudo] password for ian:
:0.0
ian@pinguino:~$ sudo -u editor echo $XAUTHORITY
/var/run/gdm/auth-for-ian-WoeKHn/database
ian@pinguino:~$ sudo -u editor xclock
No protocol specified
Error: Can't open display: :0.0

In this case, user editor has the XAUTHORITY variable set to /var/run/gdm/auth-for-ian-WoeKHn/database, but we already saw that the permissions on that file only allow user ian to read or write it. The variable may as well not be set if user editor cannot read the file it points to. Before we look at how to address this issue, let's look at what happens if we unset either the DISPLAY or XAUTHORITY variables for user ian.. We'll do this by running the xclock command with an environment variable modified using the env command's -u option to unset an environment variable before running xclock. Our results are in Listing 8.

ian@pinguino:~$ env -u DISPLAY xclock
Error: Can't open display:
ian@pinguino:~$ env -u XAUTHORITY xclock

You may be surprised to see that the xclock command runs, even though we unset the XAUTHORITY environment variable.

So far, we have mentioned the MIT-MAGIC-COOKIE-1 security method. If the token is not provided, the X server will also check a list of authorized hosts. Use the xhost command to display or update the list. Use the + option to add entries and the - option to remove entries. Use the special family entry local: (note the ':') to allow access to the display by any local user on the system. Since you are a single user system, this means that you can su to an arbitrary non-root user and can now launch xclock or other X applications. We illustrate the use of the xhost command in Listing 9.

ian@pinguino:~$ xhost
access control enabled, only authorized clients can connect
SI:localuser:ian
ian@pinguino:~$ xhost +local:
non-network local connections being added to access control list
ian@pinguino:~$ xhost
access control enabled, only authorized clients can connect
LOCAL:
SI:localuser:ian
ian@pinguino:~$ sudo -u editor xclock
ian@pinguino:~$ # Close the xclock window to return here
ian@pinguino:~$ xhost -local:
non-network local connections being removed from access control list
ian@pinguino:~$ xhost
access control enabled, only authorized clients can connect
SI:localuser:ian

On a single user system, enabling the display for use by all local users is usually a reasonable and simple solution. If you need to be more restrictive, use the xauth to extract the cookie from your XAUTHORITY file and give it to the user who needs access to the display. In Listing 10 we perform the following tasks:

1. Use xauth as user ian to display the cookie in a format that can be emailed or otherwise sent to the desired other user.
2. Use sudo -s and switch to user editor to run several commands.
3. Use xauth to create a new authorization file. Note that we used echo to pipe the data to stdin while splitting the command over several lines by using a trailing backslash (\).
4. We export a new value for the XAUTHORITY variable so it now points to our newly created authorization file.
5. Finally, we run the xclock command using a trailing ampersand (&) to run it in the background and retain control of our terminal window.

ian@pinguino:~$ xauth -f $XAUTHORITY nextract - :0
0100 0008 70696e6775696e6f 0001 30 0012 4d49542d4d414749432d434f4f4b49452d31 0010 3c4bc87
c2ce4ce5e97f8199c213b4ec9
ian@pinguino:~$ sudo -s -u editor
editor@pinguino:~$ echo "0100 0008 70696e6775696e6f 0001 30 0012"\
> " 4d49542d4d414749432d434f4f4b49452d31"\
> " 0010 3c4bc87c2ce4ce5e97f8199c213b4ec9" |
> xauth -f ~editor/temp-xauth nmerge -
xauth:  creating new authority file /home/editor/temp-xauth
editor@pinguino:~$ export XAUTHORITY=~editor/temp-xauth
editor@pinguino:~$ xclock&
[1] 4827

This brief introduction will probably get you started with running X applications as another user. Although we have used Ubuntu as an example, the basic principles we have demonstrated here apply to all distributions. For more details on using the xauth and xhost commands, you can use any of these commands as appropriate to view the online manual pages:

• info xauth
• man xauth
• info xhost
• man xhost

6 of 11 | Previous | Next

Comments

Back to top

Table of contents

• Introduction
• Login
• Navigation and settings
• Command line access
• Becoming superuser (or root)
• Using a GUI application as another user
• Removable devices
• Logout
• Adding users and groups
• Resources
• About the author

---

6 of 11 | Previous | Next