Difference between revisions of "Running X apps as root"

From ArchWiki
Jump to: navigation, search
m (The most secure methods)
(Alternate methods)
(6 intermediate revisions by 5 users not shown)
Line 1: Line 1:
[[Category:X Server (English)]]
+
[[Category:X Server]]
[[Category:HOWTOs (English)]]
+
[[ko:Running X apps as root]]
 
+
 
By default, and for security reasons, root will be unable to connect to a non-root user's X server. There are multiple ways of allowing root to do so, if it is necessary.
 
By default, and for security reasons, root will be unable to connect to a non-root user's X server. There are multiple ways of allowing root to do so, if it is necessary.
 
==The most secure methods==
 
==The most secure methods==
Line 15: Line 14:
 
* [[sudo]] (must be installed and properly configured with <code>visudo</code>)
 
* [[sudo]] (must be installed and properly configured with <code>visudo</code>)
 
  $ sudo ''name-of-app''
 
  $ sudo ''name-of-app''
 +
* {{pkg|sux}} (wrapper around su which will transfer your X credentials)
 +
$ sux root ''name-of-app''
  
 
These are the preferred methods, because they automatically exit when the application exits, negating any security risks quite completely.
 
These are the preferred methods, because they automatically exit when the application exits, negating any security risks quite completely.
Line 24: Line 25:
 
* '''Temporarily allow root access'''
 
* '''Temporarily allow root access'''
  
*xhost  
+
:*xhost  
 
  $ xhost +
 
  $ xhost +
 
will temporarily allow root, or ''anyone'' to connect your X server. Likewise,
 
will temporarily allow root, or ''anyone'' to connect your X server. Likewise,
Line 35: Line 36:
  
 
* '''Permanently allow root access'''
 
* '''Permanently allow root access'''
 +
:'''Method 1''': Add the line
 +
 +
<code>session        optional        pam_xauth.so</code>
 +
 +
to <code> /etc/pam.d/su </code> and <code>/etc/pam.d/su-l</code>. Then switch to your root user
 +
using 'su' or 'su -'.
  
*Globally in <code>/etc/profile</code>
+
:'''Method 2''': Globally in <code>/etc/profile</code>
 
Add the following to <code>/etc/profile</code>
 
Add the following to <code>/etc/profile</code>
 
  export XAUTHORITY=/home/non-root-usersname/.Xauthority
 
  export XAUTHORITY=/home/non-root-usersname/.Xauthority

Revision as of 09:21, 1 February 2014

By default, and for security reasons, root will be unable to connect to a non-root user's X server. There are multiple ways of allowing root to do so, if it is necessary.

The most secure methods

The most secure methods are simple. They include:

  • kdesu (included with KDE)
$ kdesu name-of-app
  • gksu (included with GNOME)
$ gksu name-of-app
  • bashrun (in community)
$ bashrun --su name-of-app
  • sudo (must be installed and properly configured with visudo)
$ sudo name-of-app
  • sux (wrapper around su which will transfer your X credentials)
$ sux root name-of-app

These are the preferred methods, because they automatically exit when the application exits, negating any security risks quite completely.

Alternate methods

These methods will allow root to connect to a non-root user's X server, but present varying levels of security risks, especially if you run ssh. If you are behind a firewall, you may consider them to be safe enough for your requirements.

  • Temporarily allow root access
  • xhost
$ xhost +

will temporarily allow root, or anyone to connect your X server. Likewise,

$ xhost -

will disallow this function afterward.

Some users also use:

$ xhost + localhost

(Your X server must be configured to listen to TCP connections for xhost + localhost to work).

  • Permanently allow root access
Method 1: Add the line

session optional pam_xauth.so

to /etc/pam.d/su and /etc/pam.d/su-l. Then switch to your root user using 'su' or 'su -'.

Method 2: Globally in /etc/profile

Add the following to /etc/profile

export XAUTHORITY=/home/non-root-usersname/.Xauthority

This will permanently allow root to connect to a non-root user's X server.

Or, merely specify a particular app:

export XAUTHORITY=/home/usersname/.Xauthority kwrite

(to allow root to access kwrite, for instance.)