Technical aside: X11 forwarding and su

Sometimes you need to run X applications while on a server far, far away. But X forwarding is tricky, you need to authenticate hosts by cookies shared between your local workstation and the different servers on which you might be working. This cookie sharing is not passed on when you switch users on a remote machine, for instance doing sudo or su.

To circumvent this well intentioned barrier, I suggest following the advice in this article from Debian Administration. As is often the case, the best little bits of knowledge are in the comments rather than the article itself. I’ll highlight two useful comments below.

One method which is clean but requires you to expose your .Xauthority file to be read by the user you intent to become:

  1. Log in remotely: ssh -X user@hostname
  2. Switch users (assuming root in this case): su -
  3. Merge the Xauth information like this: xauth merge /home/user/.Xauthority

Another, which does not require any changes in permission, has you copy & change settings using the xauth command :

  1. Get a list of cookies for each display, after remote login but prior to performing su.
    linux> xauth list
    jupiter.x.com/unix:14 MIT-MAGIC-COOKIE-1 ec0778f78a8b342429399eba5ff2632e
    jupiter.x.com/unix:16 MIT-MAGIC-COOKIE-1 82a777aa883decc099dfb88ad5c1cf7a
    jupiter.x.com/unix:15 MIT-MAGIC-COOKIE-1 f4abb7722882168eb3c145b3c926cb53
    jupiter.x.com/unix:11 MIT-MAGIC-COOKIE-1 ff99c450ff208f66332a12e8bdb3a8c6
    jupiter.x.com/unix:10 MIT-MAGIC-COOKIE-1 6f640f12f809c265968828c983661afc
  2. Find your display. On the remote host, the DISPLAY environment variable (you can check these with printenv) may be set to localhost:10.0 but the cookie may be stored under a different name variation of display 10 (like jupiter.x.com/unix:10 in the list above):
    linux >echo $DISPLAY
    localhost:10.0
  3. Perform su:
    linux> su -l user_i_want_to_be
  4. Set the cookie to the number matching your $DISPLAY (in this case 10):
    linux> xauth add jupiter.x.com/unix:10 MIT-MAGIC-COOKIE-1 6f640f12f809c265968828c983661afc

There you have it!

Advertisements