Difference between revisions of "Running X apps as root"

From ArchWiki
Jump to: navigation, search
m (rm gap)
(recategorize to avoid redirect (https://github.com/lahwaacz/wiki-scripts/blob/master/recategorize-over-redirect.py))
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[Category:X Server]]
+
[[Category:X server]]
 
[[ko:Running X apps as root]]
 
[[ko:Running X apps as root]]
 
By default, and for security reasons, root will be unable to connect to a non-root user's X server. There are multiple ways of allowing root to do so, if it is necessary.
 
By default, and for security reasons, root will be unable to connect to a non-root user's X server. There are multiple ways of allowing root to do so, if it is necessary.
Line 14: Line 14:
 
* [[sudo]] (must be installed and properly configured with <code>visudo</code>)
 
* [[sudo]] (must be installed and properly configured with <code>visudo</code>)
 
  $ sudo ''name-of-app''
 
  $ sudo ''name-of-app''
* {{pkg|sux}} (wrapper around su which will transfer your X credentials)
+
* {{AUR|sux}} (wrapper around su which will transfer your X credentials)
 
  $ sux root ''name-of-app''
 
  $ sux root ''name-of-app''
  
Line 36: Line 36:
  
 
* '''Permanently allow root access'''
 
* '''Permanently allow root access'''
 +
:'''Method 1''': Add the line
  
:*Globally in <code>/etc/profile</code>
+
<code>session        optional        pam_xauth.so</code>
 +
 
 +
to <code> /etc/pam.d/su </code> and <code>/etc/pam.d/su-l</code>. Then switch to your root user
 +
using 'su' or 'su -'.
 +
 
 +
:'''Method 2''': Globally in <code>/etc/profile</code>
 
Add the following to <code>/etc/profile</code>
 
Add the following to <code>/etc/profile</code>
 
  export XAUTHORITY=/home/non-root-usersname/.Xauthority
 
  export XAUTHORITY=/home/non-root-usersname/.Xauthority

Latest revision as of 17:05, 26 July 2015

By default, and for security reasons, root will be unable to connect to a non-root user's X server. There are multiple ways of allowing root to do so, if it is necessary.

The most secure methods

The most secure methods are simple. They include:

  • kdesu (included with KDE)
$ kdesu name-of-app
  • gksu (included with GNOME)
$ gksu name-of-app
  • bashrun (in community)
$ bashrun --su name-of-app
  • sudo (must be installed and properly configured with visudo)
$ sudo name-of-app
  • suxAUR (wrapper around su which will transfer your X credentials)
$ sux root name-of-app

These are the preferred methods, because they automatically exit when the application exits, negating any security risks quite completely.

Alternate methods

These methods will allow root to connect to a non-root user's X server, but present varying levels of security risks, especially if you run ssh. If you are behind a firewall, you may consider them to be safe enough for your requirements.

  • Temporarily allow root access
  • xhost
$ xhost +

will temporarily allow root, or anyone to connect your X server. Likewise,

$ xhost -

will disallow this function afterward.

Some users also use:

$ xhost + localhost

(Your X server must be configured to listen to TCP connections for xhost + localhost to work).

  • Permanently allow root access
Method 1: Add the line

session optional pam_xauth.so

to /etc/pam.d/su and /etc/pam.d/su-l. Then switch to your root user using 'su' or 'su -'.

Method 2: Globally in /etc/profile

Add the following to /etc/profile

export XAUTHORITY=/home/non-root-usersname/.Xauthority

This will permanently allow root to connect to a non-root user's X server.

Or, merely specify a particular app:

export XAUTHORITY=/home/usersname/.Xauthority kwrite

(to allow root to access kwrite, for instance.)