2012-10-25

Granting Root access to all XOrg / X11 Displays on a machine.

Jump here if you just want the code

xauth is hard

There are many techniques for allowing root ( or any other user ) to open programs on your display.

When not configured to do so, simple things don't work, and there are 2 general results you get:

No previous attempt at getting xauth based auth to work

> sudo gvim 
No protocol specified
E233: cannot open display
E852: The child process failed to start the GUI
No protocol specified
                                                                                             
Press ENTER or type command to continue

With Previous attempts at using xauth based auth

Invalid MIT-MAGIC-COOKIE-1 key
E233: cannot open display
E852: The child process failed to start the GUI
Invalid MIT-MAGIC-COOKIE-1 key


This case occurs I believe due to your X display having a unique authentication key per session.

But your display likely stores an Xauthority database somewhere on disk

I discovered this little gem when looking at some of the code VirtualGL/Bumblebee uses ( because it has to run a secret display as a different user, and that different user has to be able to write to your screen )
set_xauth() {

# common case (works in almost all tested environments (except of lightdm)):
XAUTHORITY="$(ps wwax -C X,Xorg -o args= --sort=-stime | grep -m 1 -o '\B[-]auth\s*/var\S*auth\S*' | cut -d ' ' -f 2)"

# kdm and some others:
# XAUTHORITY="$(find /var/run/xauth/A${DISPLAY}-*|tail -n1)"

# gdm:
# XAUTHORITY="/var/gdm/${DISPLAY}.Xauth"

# slim:
# XAUTHORITY="/var/run/slim.auth"

# lightdm:
# XAUTHORITY="/var/run/lightdm/root/${DISPLAY}"

}


And as I'm running kdm I took a look at the relevant command.

$ find /var/run/xauth/A${DISPLAY}-*|tail -n1
/var/run/xauth/A:0-xNjOfc


Aha. Useful.

sudo xauth -f /var/run/xauth/A\:0-xNjOfc  list
#ffff##:  MIT-MAGIC-COOKIE-1  711f067eae4ec73599dc38dbfaa164f0

Oh handy. That hex code is the key you need to access the relevant display :D.

$ xterm
Invalid MIT-MAGIC-COOKIE-1 key
xterm: Xt error: Can't open display: %s
$ xauth add :0 MIT-MAGIC-COOKIE-1 700f067eae4ec73599dc38dbe7a164f1
$ xterm 
$ # success!


Putting it all together

Here's a blob of shell script I have in /root/.bash_profile:
setup_xauth() {
 authfile=$( echo /var/run/xauth/A${DISPLAY}-* );
 if [ -z "${DISPLAY}" ]; then
  return
 fi
 if [ ! -f $authfile ]; then
  return;
 fi
 if [ ! -s $authfile ]; then
  return;
 fi
 authtoken=$( xauth -f "$authfile"  nlist | cut -d" " -f 9 );
 xauth add $DISPLAY MIT-MAGIC-COOKIE-1 $authtoken
}

setup_xauth;


Note, its essential that you check for read access to the file, especially if you plan on using this in a non-root users profile code.

If xauth can't read the authfile, it will just block and do nothing, and this is very bad to have in your profile.

Additionally, due to this being defined as a function, all roots shells will have a convenience function 'setup_xauth' that you can call at any time in the event you've had to change $DISPLAY, or in the event you want to access a local X display from a VT

export DISPLAY=:0
setup_xauth
gvim # gvim launches on :0 

1 comment: