SU problems
Hello, everyone: Recently I installed ver 2.2 of debian on a new machine for netsaint monitoring. Previously, I had experience only with Redhat distros. Everything was going ok until i decided to give webmin (http://www.webmin.com) a try. It installed ok, but when I created the group netsaint using the webmin interface, the su stopped working... (at least, that's what I think caused it). I can login without problems, but if I try to su - root or su - , it gives me an authentication failure. When I log as root and su to another user, it works ok (since its set by default to be able to su without password). I checked the shadow file and it seems to be alright. I erased the netsaint user/group and still nothing. Can anybody shed some light in this subject? Regards Rafael
Re: su problems with xdm
Jason Willoughby hat gesagt: // Jason Willoughby wrote: > On Sun, 6 Jun 1999, Alisdair McDiarmid wrote: > > > [root%letdown /home/alisdair] # xmcd > > Xlib: connection to ":0.0" refused by server > > Xlib: Client is not authorized to connect to Server > > Error: Can't open display: :0.0 > > Yeah, xdm is more paranoid than startx. You can disable access controls > by running, as alisdair, "xhost +". Check the man page for more info. I would not recommend this if your connected to a network like the internet. Better read "man xauth". I suggest you write a little shellscript for root, that automates xauth-authorization like this: #!/bin/sh # xauth4root - sets Xauthority the way I want it export DISPLAY=:0.0 xauth -f /home/YOUR_USERNAME_HERE/.Xauthority extract - $DISPLAY | xauth merge - $* Then you can start e.g gvim with: % xauth4root gvim -- ____ Frank Barknecht __ __ trip\ \ / /wire __ / __// __ /__/ __// // __ \ \/ / __ \\ ___\ / / / / / / / // // /\ \\ ___\\ \ /_/ /_/ /_/ /_//_// / \ \\_\\_\ /_/\_\
Re: su problems with xdm
On Sun, Jun 06, 1999 at 12:29:58AM +, Alisdair McDiarmid wrote: > I've got problems running X apps as root with xdm. See /usr/doc/xfree86-common/FAQ. -- G. Branden Robinson | Measure with micrometer, Debian GNU/Linux | mark with chalk, [EMAIL PROTECTED] | cut with axe, cartoon.ecn.purdue.edu/~branden/ | hope like hell. pgpsmCx1kpsuA.pgp Description: PGP signature
Re: su problems with xdm
On Sat, Jun 05, 1999 at 07:58:36PM -0400, Jason Willoughby wrote: > > Yeah, xdm is more paranoid than startx. You can disable access controls > by running, as alisdair, "xhost +". Check the man page for more info. great, thanks! -- alisdair mcdiarmid [i won't tear again i won't breathe in the shards of what is left]
Re: su problems with xdm
On Sun, 6 Jun 1999, Alisdair McDiarmid wrote: > [root%letdown /home/alisdair] # xmcd > Xlib: connection to ":0.0" refused by server > Xlib: Client is not authorized to connect to Server > Error: Can't open display: :0.0 Yeah, xdm is more paranoid than startx. You can disable access controls by running, as alisdair, "xhost +". Check the man page for more info.
su problems with xdm
I've got problems running X apps as root with xdm. If I log in as alisdair (my main user) and su root in a terminal window, any attempt to run an X application fails: [root%letdown /home/alisdair] # xmcd Xlib: connection to ":0.0" refused by server Xlib: Client is not authorized to connect to Server Error: Can't open display: :0.0 This doesn't occur if I use startx as alisdair, and then su, or login from xdm as root. Why is this happening and how can I fix it? Thanks, -- alisdair mcdiarmid [i won't tear again i won't breathe in the shards of what is left]
Re: Weird su problems
On 03-Jun-99 Chris wrote: > On Thu, Jun 03, 1999 at 05:14:22AM -, Pollywog wrote: >> >> On 03-Jun-99 Chris wrote: >> > It looks like some element relating to su has been broken. I apologize >> > for >> >> Yes, it is shellutils package, and to fix it, just make /bin/su suid root. >> > Yep, that did the trick. Thanks! Now, my next question regards things that > change permissions while you're not looking. For instance, I changed the > groups on my /etc/ppp directory yesterday (mentioned in my last post), and > today it was changed back to root:root. Is this something that might be a > cron job? I must admit ignorance to cron syntax... What should I look for? > > Thanks again, Perhaps you updated your system? Whenever you update your system (upgrading ppp for instance) the directory permissions will revert to their defaults. You can make a script to change things back each time you update software. I did that just two days ago because I prefer that certain executables be owned root.wheel and be non-executable by 'others' -- Andrew
Re: Weird su problems
On Thu, Jun 03, 1999 at 05:14:22AM -, Pollywog wrote: > > On 03-Jun-99 Chris wrote: > > It looks like some element relating to su has been broken. I apologize for > > Yes, it is shellutils package, and to fix it, just make /bin/su suid root. > Yep, that did the trick. Thanks! Now, my next question regards things that change permissions while you're not looking. For instance, I changed the groups on my /etc/ppp directory yesterday (mentioned in my last post), and today it was changed back to root:root. Is this something that might be a cron job? I must admit ignorance to cron syntax... What should I look for? Thanks again, -Chris
Re: Weird su problems
On Thu, 3 Jun 1999, Chris wrote: > It looks like some element relating to su has been broken. I apologize for > not knowing which package contains su, but I have the latest version for > Potato (x86) as of Wednesday (yesterday). I've just discovered that > su fails to work on the console, too. Should I downgrade some packages (and > if so, how is that done?) or wait until the next version of package x(y,z) > to come out? Is anyone else having this problem? The easiest way to find out which package an installed file comes from is to use the dpkg -S option. For example: $ dpkg -S /bin/su shellutils: /bin/su The su problem has beed fixed as of a few hours ago: a new shellutils package was uploaded as soon as they confirmed the bug reports and rebuilt the package with the suid bit properly set. After that, it takes a few hours to propagate to the mirrors. i believe the ppp problem has beed discussed on the list as well, check the archives for more info and probably fixes.
RE: Weird su problems
On 03-Jun-99 Chris wrote: > It looks like some element relating to su has been broken. I apologize for > not knowing which package contains su, but I have the latest version for > Potato (x86) as of Wednesday (yesterday). I've just discovered that > su fails to work on the console, too. Should I downgrade some packages (and > if so, how is that done?) or wait until the next version of package x(y,z) > to come out? Is anyone else having this problem? Yes, it is shellutils package, and to fix it, just make /bin/su suid root. -- Andrew
Weird su problems
Well, living on the blleding edge seems to have finally bitten me in the ass ;-) I normally do an apt-get update;apt-get upgrade every week or so unless I hear about major fixes. I did such an upgrade earlier today, upgrading nearly everything that could be upgraded. The only immediate abnormality was that X seemed to freeze (I could move the mouse, but clicking did nothing) soon after I upgraded some Gnome packages. When I got back to my machine later, I found that ppp had reset some permissions on the ppp directory (it took dip off of the group, for some reason). I went to su to root, and I got a bad password error. Of course, I totally panicked. I quit X and restarted it, but the problem remained. As a desperate measure, I switched to another console and tried to log in as root and... it worked. It looks like some element relating to su has been broken. I apologize for not knowing which package contains su, but I have the latest version for Potato (x86) as of Wednesday (yesterday). I've just discovered that su fails to work on the console, too. Should I downgrade some packages (and if so, how is that done?) or wait until the next version of package x(y,z) to come out? Is anyone else having this problem? Thanks, -Chris
Re: SU Problems
All of the suggestions were more or less appropriate, but I think a more secure way to grant another user the right to run programs on your display is to use xauth. See the xauth manpage for more details, but I use xauth extract - $DISPLAY | rsh otherhost xauth merge - to allow *only* myself on otherhost to connect to the current display. If I had used something like "xhost +otherhost" then anyone on otherhost could snoop my display, or whatever... -- Rob -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: SU Problems
I just tried a couple of thing that seem to work. 1. Put the "export XAUTHORITY=~paul/.Xauthority in your .bashrc file. When you su to another user the XAUTHORITY environment variable still exists! Works fine. 2. Did you ever notice what happens when you su to another user with the USER enviroment variable? It does not change unless you su a second time! Therefore you could put in the root's .bashrc -- "export XAUTHORITY=$USER/.Xauthority" Both of these worked for me. It would also appear to me to be more secure than the xhost methold mentioned by others. Also I have run across programs that do not like the "xhost +localhost" methold. On Mon, 2 Jun 1997, Paul McDermott wrote: > thanks jens, is there a way so i don't have to type the command all the time? > thanks again. > Paul > > > On Mon, 2 Jun 1997, Jens B. Jorgensen wrote: > > > Paul McDermott wrote: > > > > > > Hi folks, I just installed X version 3.2 on my system this past few > > > weeks. I am having problems do things as su. ie for the first error > > > message is one that I receive whenever I try to run an X program as su. > > > This error message is when I was trying to use xclock. I have check > > > xclocks permissions, ownership both seem to be in order. Ownership is > > > root.root and the Permissions are 755. This error happens when I try to > > > run all x programs. > > > > > > Xlib: connection to ":0.0" refused by server > > > Xlib: Client is not authorized to connect to Server > > > open display failed > > > InitXWindows failed, exiting > > > > > > This error is when I try to run emacs as su. > > > > > > Xlib: connection to ":0.0" refused by server > > > Xlib: Client is not authorized to connect to Server > > > emacs: Cannot connect to X server :0.0. > > > Check the DISPLAY environment variable or use `-d'. > > > Also use the `xhost' program to verify that it is set to permit > > > connections from your machine. > > > > > > I cam run things as user paul and if I login as root. If you have any > > > suggestions or need any more information please email me. > > > Paul > > > > > > > If you log in as paul and then su to root, then after you su type > > > > export XAUTHORITY=~paul/.Xauthority > > > > -- > > Jens B. Jorgensen > > [EMAIL PROTECTED] > > > > > -- > TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to > [EMAIL PROTECTED] . > Trouble? e-mail to [EMAIL PROTECTED] . > > http://www.sound.net/~wpmills/ - : W. Paul Mills : Bill, I was there several years ago. : : Topeka, Kansas, U.S.A. : Why would I want to go back tomorrow?: : [EMAIL PROTECTED] : Where were you! : : [EMAIL PROTECTED] : : : [EMAIL PROTECTED] : Linux: Tomorrow's operating system, : : [EMAIL PROTECTED] :here, today. : : [EMAIL PROTECTED] : : : compuserve 70023,1750 : #define MY_TRUE_LOVE computer: -- http://homepage.midusa.net/~wpmills/ - -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: SU Problems
I just do: 8<->8 ~ # pwd /root ~ # ln -s /home/karlheg/.Xauthority . 8<->8 I've also got "~karlheg/.emacs" and several other files like it symlinked in the same way for 'root'. I always use the computer logged in as myself, from XDM, and have entries in "/etc/super.tab" (man super) like this: 8<->8 xemacs /usr/local/bin/xemacs karlheg @localhost \ setenv="DISPLAY=unix:0" \ setenv="PATH=/usr/local/bin:/usr/bin:/bin:/usr/lib/texmf/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/bin/X11:/usr/games" \ password=n \ uid=root gid=root\ info="XEmacs editor as 'root'" tkps/usr/bin/X11/tkps karlheg @localhost \ setenv="DISPLAY=unix:0" \ setenv="PATH=/usr/bin:/bin" \ password=n \ uid=root gid=root \ info="TkPs process table tool; X-Windows Tk interface" gitps /usr/bin/gitps karlheg @localhost \ setenv="PATH=/usr/bin:/bin" \ password=n \ uid=root gid=root \ info="gitps process table tool; Console ncurses interface" xterm /usr/X11R6/bin/xterm karlheg @localhost \ setenv="DISPLAY=unix:0" \ setenv="PATH=/usr/local/bin:/usr/bin:/bin:/usr/lib/texmf/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/games:/usr/bin/X11" \ password=n \ uid=root gid=root \ info="XTerm" 8<->8 ... And I have menu entries on my Fvwm2 menu that `exec super xterm` and `exec super xemacs`, so that I can fire off an xterm or xemacs and be 'root' anytime I need to. In my "/usr/local/lib/xemacs-20.2/lisp/site-start.el" file, I have this: 8<->8 ;; FSF Emacs has this function already; no defalias needed. (defalias 'shell-command-to-string 'exec-to-string) (let ((string (shell-command-to-string "whoami"))) (setq logname (substring string 0 (1- (length string) 8<->8 ... and then, from the XEmacs customize menu (Options|Customize|Variable...), I made the titlebar string be: '(frame-title-format (quote ("" logname (":%b"))) t) Since "~/.emacs", as root, is a symlink to "~karlheg/.emacs", I get the same setting as either user... but a `super xemacs` will say 'root:filename' in the titlebar, and a normal one will say 'karlheg:filename'. I have my "~karlheg" directory SGID, so that if 'root' makes any changes to the ".emacs", 'karlheg' will still be able to write to the file. In "/etc/profile", I have this: 8<->8 # Display the status of the last command if non-zero status_after_prompt() { prompt_status=$? if [ $prompt_status != 0 ] then echo "[status $prompt_status]" fi } export -f status_after_prompt export PROMPT_COMMAND=status_after_prompt # Set the titlebar of XTerms to reflect our current working directory. if [ $TERM == emacs ] then export PS1='\w\n\$ ' elif [ "$TERM" = "xterm" -o "$TERM" = "xterm-color" ] then # There are real control chars here. set_titlebar () { echo -n "]2;$*"; } export -f set_titlebar my_dirname () { if [ "${PWD#$HOME}" != "$PWD" ] then echo '~'${PWD#$HOME} else echo $PWD fi } export -f my_dirname export PS1='\n\!\$ ' PROMPT_COMMAND=$PROMPT_COMMAND';eval set_titlebar "[EMAIL PROTECTED]:$(my_dirname)"' export PROMPT_COMMAND else export PS1='[EMAIL PROTECTED]:\w\n\!\$ ' fi # this is a beat-the-television style kludge to get color working right. if [ "$TERM" = "xterm" ] then export TERM="xterm-color" tset 2> /dev/null fi 8<->8 ... and now xterms have the titlebar set in the similar fashion; and I can tell by looking whether it's a `super xterm` or a normal one. Get all that? :-) -- Karl M. Hegbloom <[EMAIL PROTECTED]> http://www.inetarena.com/~karlheg Portland, OR USA Debian GNU 1.2 Linux 2.1.36 AMD K5 PR-133 -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: SU Problems
On Jun 2, Ed Donovan wrote > > You could just add > > xhost +localhost > > to your .xinitrc file, if you don't have any xhost commands there > already. Jens has suggested "export XAUTHORITY=~paul/.Xauthority"; I > don't immediately know which method would be preferable. The xhost > method would solve this problem for any userid, and wouldn't require > changes to any other config files to automate it. [snip] ... but allows any local user to connect to your X server, spy on your keystrokes and generally wreak havoc on your machine if they feel like it. So it's a very bad idea Setting XAUTHORITY (or copying the .Xauthority file) is better. Assuming nobody can snoop on the file while it is being copied, your machine is just as secure as it was before... only users who have the proper .Xauthority file can connect to the X server. (I've made myself a tiny alias called 'sysadmin' which copies the .Xauthority file to root's account and then spawns an xterm with "su - root". Works like a charm.) Christian pgpukDcd4OmI6.pgp Description: PGP signature
Re: SU Problems
> "Paul" == Paul McDermott <[EMAIL PROTECTED]> writes: Paul> Hi folks, I just installed X version 3.2 on my system this Paul> past few weeks. I am having problems do things as su. ie for Paul> the first error message is one that I receive whenever I try Paul> to run an X program as su. This error message is when I was Paul> trying to use xclock. I have check xclocks permissions, Paul> ownership both seem to be in order. Ownership is root.root and Paul> the Permissions are 755. This error happens when I try to run Paul> all x programs. Paul> Xlib: connection to ":0.0" refused by server Xlib: Client is Paul> not authorized to connect to Server open display failed Paul> InitXWindows failed, exiting Paul> This error is when I try to run emacs as su. Paul> Xlib: connection to ":0.0" refused by server Xlib: Client is Paul> not authorized to connect to Server emacs: Cannot connect to X Paul> server :0.0. Check the DISPLAY environment variable or use Paul> `-d'. Also use the `xhost' program to verify that it is set Paul> to permit connections from your machine. A little while ago this started happening to me and others under Debian's X setup. I've added localhost to my 'xhost +' list in my .xinitrc, and now programs run under other uid's in my X display work fine. It seems to me as if localhost used to be allowed by default, and is no longer, but maybe something about userids allowed to use the display changed instead. I don't know if the change would be XFree86's or Debian's; I can't find a changelog for xbase. You could just add xhost +localhost to your .xinitrc file, if you don't have any xhost commands there already. Jens has suggested "export XAUTHORITY=~paul/.Xauthority"; I don't immediately know which method would be preferable. The xhost method would solve this problem for any userid, and wouldn't require changes to any other config files to automate it. On the other hand, there could be valid security reasons not to do so--most of the machines I've run X on have been single-user workstations, so I haven't had to worry about inter-user issues like that. Hope this helps, -- Ed Donovan [EMAIL PROTECTED] -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: SU Problems
thanks jens, is there a way so i don't have to type the command all the time? thanks again. Paul On Mon, 2 Jun 1997, Jens B. Jorgensen wrote: > Paul McDermott wrote: > > > > Hi folks, I just installed X version 3.2 on my system this past few > > weeks. I am having problems do things as su. ie for the first error > > message is one that I receive whenever I try to run an X program as su. > > This error message is when I was trying to use xclock. I have check > > xclocks permissions, ownership both seem to be in order. Ownership is > > root.root and the Permissions are 755. This error happens when I try to > > run all x programs. > > > > Xlib: connection to ":0.0" refused by server > > Xlib: Client is not authorized to connect to Server > > open display failed > > InitXWindows failed, exiting > > > > This error is when I try to run emacs as su. > > > > Xlib: connection to ":0.0" refused by server > > Xlib: Client is not authorized to connect to Server > > emacs: Cannot connect to X server :0.0. > > Check the DISPLAY environment variable or use `-d'. > > Also use the `xhost' program to verify that it is set to permit > > connections from your machine. > > > > I cam run things as user paul and if I login as root. If you have any > > suggestions or need any more information please email me. > > Paul > > > > If you log in as paul and then su to root, then after you su type > > export XAUTHORITY=~paul/.Xauthority > > -- > Jens B. Jorgensen > [EMAIL PROTECTED] > -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: SU Problems
Before you "SU" to root type 'xhost +' this will disable X windows access control. Remember X windows is a network program and has to authorize every user before it will let you run an application. By the way xhost + is also not the most secure way of handling this problem. Do a 'man xhost' and check out the specific params. --Matt PS. Time to get back into the swing of Linux use and not development again. After porting linux to run on an VIC20 for a university project I am sick of assembly (had to port GCC over as well :) PPS. anyone want a VIC20 port of linux before I delete the 500megs of files from my hard drive? On Mon, 2 Jun 1997, Paul McDermott wrote: > Hi Roberto, I did use su. I can't run any x programs as su, only as user > paul. Any other ideas. > > > On Mon, 2 Jun 1997, Roberto Magana wrote: > > > Use su - > > > > % > > > > <[EMAIL PROTECTED]> Roberto Magana. Escuela de Fisica UCR. > > (The Physics Dept. University of Costa Rica.) > > > > % > > > > > > -- > > TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to > > [EMAIL PROTECTED] . > > Trouble? e-mail to [EMAIL PROTECTED] . > > > > > > > -- > TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to > [EMAIL PROTECTED] . > Trouble? e-mail to [EMAIL PROTECTED] . > -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: SU Problems
Paul McDermott wrote: > > Hi folks, I just installed X version 3.2 on my system this past few > weeks. I am having problems do things as su. ie for the first error > message is one that I receive whenever I try to run an X program as su. > This error message is when I was trying to use xclock. I have check > xclocks permissions, ownership both seem to be in order. Ownership is > root.root and the Permissions are 755. This error happens when I try to > run all x programs. > > Xlib: connection to ":0.0" refused by server > Xlib: Client is not authorized to connect to Server > open display failed > InitXWindows failed, exiting > > This error is when I try to run emacs as su. > > Xlib: connection to ":0.0" refused by server > Xlib: Client is not authorized to connect to Server > emacs: Cannot connect to X server :0.0. > Check the DISPLAY environment variable or use `-d'. > Also use the `xhost' program to verify that it is set to permit > connections from your machine. > > I cam run things as user paul and if I login as root. If you have any > suggestions or need any more information please email me. > Paul > If you log in as paul and then su to root, then after you su type export XAUTHORITY=~paul/.Xauthority -- Jens B. Jorgensen [EMAIL PROTECTED] -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: SU Problems
Hi Roberto, I did use su. I can't run any x programs as su, only as user paul. Any other ideas. On Mon, 2 Jun 1997, Roberto Magana wrote: > Use su - > > % > > <[EMAIL PROTECTED]> Roberto Magana. Escuela de Fisica UCR. > (The Physics Dept. University of Costa Rica.) > > % > > > -- > TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to > [EMAIL PROTECTED] . > Trouble? e-mail to [EMAIL PROTECTED] . > > -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: SU Problems
Use su - % <[EMAIL PROTECTED]> Roberto Magana. Escuela de Fisica UCR. (The Physics Dept. University of Costa Rica.) % -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
SU Problems
Hi folks, I just installed X version 3.2 on my system this past few weeks. I am having problems do things as su. ie for the first error message is one that I receive whenever I try to run an X program as su. This error message is when I was trying to use xclock. I have check xclocks permissions, ownership both seem to be in order. Ownership is root.root and the Permissions are 755. This error happens when I try to run all x programs. Xlib: connection to ":0.0" refused by server Xlib: Client is not authorized to connect to Server open display failed InitXWindows failed, exiting This error is when I try to run emacs as su. Xlib: connection to ":0.0" refused by server Xlib: Client is not authorized to connect to Server emacs: Cannot connect to X server :0.0. Check the DISPLAY environment variable or use `-d'. Also use the `xhost' program to verify that it is set to permit connections from your machine. I cam run things as user paul and if I login as root. If you have any suggestions or need any more information please email me. Paul -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .