Re: addendum, Re: One-user system.
On Fri, 11 Feb 2022 07:36:10 -0500 Greg Wooledge wrote: > That makes me curious about what has been done to your system, which > is clearly behaving differently from mine. "su" with no arguments > preserves the environment, but "su -" establishes a new environment > and launches a login shell. The XAUTHORITY variable should be lost, > but perhaps something in your shell profile(s) is recreating it. Indeed. In my /etc/bash.bashrc, I have: # Allow su to use the display, i.e. whitelist the relevant variables. alias su="su --whitelist-environment=DISPLAY,XAUTHORITY" We had a discussion on this list after I had problems with su and running X clients after moving from Buster to Bullseye. The alias above came out of that discussion. -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/
Re: addendum, Re: One-user system.
Greg Wooledge wrote: > On Thu, Feb 10, 2022 at 06:37:04PM -0800, pe...@easthope.ca wrote: > > root@joule:~# su peter > > peter@joule:~$ firefox-esr --display=:0 > > Invalid MIT-MAGIC-COOKIE-1 keyUnable to init server: Could not connect: > > Connection refused > > Error: cannot open display: :0 > > > > peter, logged in directly, can run firefox. > > root, logged in directly, can run firefox. > > The above is from a security mechanism in firefox? > > No, you simply haven't provided enough credentials to the X server. > It's the X server who's rejecting connections from "peter", because > "peter" has not presented the correct MIT-MAGIC-COOKIE (auth token). A different solution, with less security, especially on multi-user system might be: enable access for a specific user by "xhost". In your case, do before "su peter", as user root: xhost +si:localuser:peter This prevents the X server security mechanism, which Greg explains. Beaware, it's more dangerous, opening it X this way. Best regards, Klaus. -- Klaus Singvogel GnuPG-Key-ID: 1024R/5068792D 1994-06-27
Re: addendum, Re: One-user system.
On Fri, Feb 11, 2022 at 07:36:10AM -0500, Greg Wooledge wrote: > On Thu, Feb 10, 2022 at 09:48:40PM -0700, Charles Curley wrote: [...] > > So I expect that something has already done the export for me, and it > > is unnecessary. > > unicorn:~$ echo "$XAUTHORITY" > /home/greg/.Xauthority > unicorn:~$ su > Password: > root@unicorn:/home/greg# echo "$XAUTHORITY" > /home/greg/.Xauthority > root@unicorn:/home/greg# > exit > unicorn:~$ su - > Password: > root@unicorn:~# echo "$XAUTHORITY" > > root@unicorn:~# > logout > > That makes me curious about what has been done to your system, which > is clearly behaving differently from mine. "su" with no arguments > preserves the environment, but "su -" establishes a new environment > and launches a login shell. The XAUTHORITY variable should be lost, > but perhaps something in your shell profile(s) is recreating it. I'd look in the general direction of pam_env and its corresponding config file /etc/security/pam_env.conf Cheers -- t signature.asc Description: PGP signature
Re: addendum, Re: One-user system.
On Thu, Feb 10, 2022 at 09:48:40PM -0700, Charles Curley wrote: > Interesting. I routinely log in as my non-root user, charles, and then > 'su -', which gets me a root shell. I can then run X programs just > fine. So your comment above got me curious. > > charles@jhegaala:~/Desktop$ su - > Password: > > Today is Sweetmorn, the 41st of Chaos, 3188. Lies and slander, sire! > root@jhegaala:~# echo $XAUTHORITY > /home/charles/.Xauthority > root@jhegaala:~# > > So I expect that something has already done the export for me, and it > is unnecessary. unicorn:~$ echo "$XAUTHORITY" /home/greg/.Xauthority unicorn:~$ su Password: root@unicorn:/home/greg# echo "$XAUTHORITY" /home/greg/.Xauthority root@unicorn:/home/greg# exit unicorn:~$ su - Password: root@unicorn:~# echo "$XAUTHORITY" root@unicorn:~# logout That makes me curious about what has been done to your system, which is clearly behaving differently from mine. "su" with no arguments preserves the environment, but "su -" establishes a new environment and launches a login shell. The XAUTHORITY variable should be lost, but perhaps something in your shell profile(s) is recreating it.
Re: addendum, Re: One-user system.
On Thu, 10 Feb 2022 22:27:22 -0500 Greg Wooledge wrote: > In the more usual scenario, you have started X as peter, and then used > su to become root. It is precisely at this point where the X auth > token has become lost, as it's in the home directory of peter, not > the home directory of root. If peter's home directory is on a local > file system, then root can probably read it. In that case, you can > simply do: > > export XAUTHORITY=/home/peter/.Xauthority Interesting. I routinely log in as my non-root user, charles, and then 'su -', which gets me a root shell. I can then run X programs just fine. So your comment above got me curious. charles@jhegaala:~/Desktop$ su - Password: Today is Sweetmorn, the 41st of Chaos, 3188. Lies and slander, sire! root@jhegaala:~# echo $XAUTHORITY /home/charles/.Xauthority root@jhegaala:~# So I expect that something has already done the export for me, and it is unnecessary. -- Does anybody read signatures any more? https://charlescurley.com https://charlescurley.com/blog/
Re: addendum, Re: One-user system.
On Thu, Feb 10, 2022 at 06:37:04PM -0800, pe...@easthope.ca wrote: > root@joule:~# su peter > peter@joule:~$ firefox-esr --display=:0 > Invalid MIT-MAGIC-COOKIE-1 keyUnable to init server: Could not connect: > Connection refused > Error: cannot open display: :0 > > peter, logged in directly, can run firefox. > root, logged in directly, can run firefox. > The above is from a security mechanism in firefox? No, you simply haven't provided enough credentials to the X server. It's the X server who's rejecting connections from "peter", because "peter" has not presented the correct MIT-MAGIC-COOKIE (auth token). In all honesty, if you have started X as root, my advice at this point would be to get the HELL out of that X session. Do not try to proceed. Nothing good can result. In the more usual scenario, you have started X as peter, and then used su to become root. It is precisely at this point where the X auth token has become lost, as it's in the home directory of peter, not the home directory of root. If peter's home directory is on a local file system, then root can probably read it. In that case, you can simply do: export XAUTHORITY=/home/peter/.Xauthority And then the su session running as root will be able to authenticate to peter's X server/session in order to run X clients. (This doesn't mean you should run firefox as root, though. It just means you *can*. You have the literal authority to do so. It's still a stupidly bad idea.)
addendum, Re: One-user system.
From: David Wright Date: Wed, 2 Feb 2022 11:08:28 -0600 Message-Id: > You may hit snags. Some programs might refuse to run, or do > strange things because they're written to distinguish between > root and an ordinary user. After 5+ days, hit one snag. root@joule:~# su peter peter@joule:~$ firefox-esr --display=:0 Invalid MIT-MAGIC-COOKIE-1 keyUnable to init server: Could not connect: Connection refused Error: cannot open display: :0 peter, logged in directly, can run firefox. root, logged in directly, can run firefox. The above is from a security mechanism in firefox? > Rather than link /root to /home/root probably better to edit > /etc/passwd to have root homed at /home/root. Works. From: pe...@easthope.ca Date: Fri, 04 Feb 2022 21:41:24 -0800 > Rather than reinvent the wheel, I should use a product of extensive > development. > http://wikka.puppylinux.com/DebianDog > https://github.com/DebianDog/ Nicely polished systems. Most variants have graphics I don't need. DebianDog has "Porteus booting", another layer of complexity. For now will stick to plain Debian and log in as root unless my ordinary account is needed. Links to downloads, in case someone wants to try DebianDog. https://debiandog.github.io/doglinux/ Installation instructions here. https://debiandog.github.io/MakeLive/isodata/Examples-boot-codes.txt Regards,... P. -- mobile: +1 778 951 5147 VoIP: +1 604 670 0140 48.7693 N 123.3053 W