Solved: X apps no longer work with sudo after upgrade to Squeeze
I could have guessed I'd find the answer just after posting, but perhaps this will make it easier for the next googler. I had written:
Summary: After upgrade from Lenny to Squeeze, I can no longer execute X apps using sudo in an ssh session. Why not, and how can I restore this ability?
A careful reading of the manpage for the /etc/sudoers file (man 5 sudoers) yields this insight, under EXAMPLES: # Run X applications through sudo; HOME is used to find the # .Xauthority file. Note that other programs use HOME to find # configuration files and this may lead to privilege escalation! Defaults env_keep += "DISPLAY HOME" It looks like the newer version of sudo no longer preserves $HOME by default (although, the above notwithstanding, it does keep $DISPLAY). Adding the following line to my /etc/sudoers restored my ability to run X apps via sudo: Defaults env_keep += "HOME" Hope someone else finds this helpful. Ted Ruegsegger
Hmm...my diagnosis was flawed. I had written:
It looks like the newer version of sudo no longer preserves $HOME by default...
It looks like the older version didn't preserve $HOME either; instead it somehow preserved the .Xauthority information itself. As the manpage implies, forcing it to preserve $HOME could have some security implications. If someone knows of a more straightforward solution, please share! Ted Ruegsegger
I can't set you straight, and I don't know the security implications, but this works: ssh -X user@remote-host su-to-root -X -c <command> You might be asked for the root password, the user password or neither, depending on your setup. Greg On 08/06/2011 07:40 PM, Theodore Ruegsegger wrote:
Hmm...my diagnosis was flawed. I had written:
It looks like the newer version of sudo no longer preserves $HOME by default...
It looks like the older version didn't preserve $HOME either; instead it somehow preserved the .Xauthority information itself. As the manpage implies, forcing it to preserve $HOME could have some security implications. If someone knows of a more straightforward solution, please share!
Ted Ruegsegger _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
Gregory Avedissian wrote:
I can't set you straight, and I don't know the security implications, but this works:
ssh -X user@remote-host su-to-root -X -c <command>
You might be asked for the root password, the user password or neither, depending on your setup.
Hmm...hadn't heard of su-to-root before; thanks. Googling suggests it's a shell script, though it doesn't seem to be available on my Ubuntu karmic or the repositories. I did find something called sux which is an X-preserving wrapper around su. Alas, since I've disabled the root password, I can't use that. I'm a little surprised sudo doesn't have a way of doing this without security risks, since the maintainers are obviously aware of the issue and there's enough information in the environment to deduce the correct .Xauthority. Perhaps in the next release. Thanks for the reply, Ted
Have you tried using gksudo? This e-mail transmission, including any attachments, is intended only for the named recipient(s) and may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you have received this transmission in error, or are not the named recipient(s), please notify the sender immediately by return e-mail and permanently delete this transmission, including any attachments. On Aug 9, 2011 2:12 PM, "Theodore Ruegsegger" <gruntly@gmail.com> wrote:
Gregory Avedissian wrote:
I can't set you straight, and I don't know the security implications, but this works:
ssh -X user@remote-host su-to-root -X -c <command>
You might be asked for the root password, the user password or neither, depending on your setup.
Hmm...hadn't heard of su-to-root before; thanks. Googling suggests it's a shell script, though it doesn't seem to be available on my Ubuntu karmic or the repositories. I did find something called sux which is an X-preserving wrapper around su. Alas, since I've disabled the root password, I can't use that.
I'm a little surprised sudo doesn't have a way of doing this without security risks, since the maintainers are obviously aware of the issue and there's enough information in the environment to deduce the correct .Xauthority. Perhaps in the next release.
Thanks for the reply, Ted _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
Glad to be of assistance! This e-mail transmission, including any attachments, is intended only for the named recipient(s) and may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you have received this transmission in error, or are not the named recipient(s), please notify the sender immediately by return e-mail and permanently delete this transmission, including any attachments. On Aug 9, 2011 3:52 PM, "Theodore Ruegsegger" <gruntly@gmail.com> wrote:
Jason Couture wrote:
Have you tried using gksudo?
Aha! That's the answer. Works fine, no reason to alter /etc/sudoers.
Thanks very much!
Ted Ruegsegger _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
participants (3)
-
Gregory Avedissian -
Jason Couture -
Theodore Ruegsegger