Granting Root access to all XOrg / X11 Displays on a machine.

Jump here if you just want the code

xauth is hard

There are many techniques for allowing root ( or any other user ) to open programs on your display.

When not configured to do so, simple things don't work, and there are 2 general results you get:

No previous attempt at getting xauth based auth to work

> sudo gvim 
No protocol specified
E233: cannot open display
E852: The child process failed to start the GUI
No protocol specified
Press ENTER or type command to continue

With Previous attempts at using xauth based auth

Invalid MIT-MAGIC-COOKIE-1 key
E233: cannot open display
E852: The child process failed to start the GUI
Invalid MIT-MAGIC-COOKIE-1 key

This case occurs I believe due to your X display having a unique authentication key per session.

But your display likely stores an Xauthority database somewhere on disk

I discovered this little gem when looking at some of the code VirtualGL/Bumblebee uses ( because it has to run a secret display as a different user, and that different user has to be able to write to your screen )
set_xauth() {

# common case (works in almost all tested environments (except of lightdm)):
XAUTHORITY="$(ps wwax -C X,Xorg -o args= --sort=-stime | grep -m 1 -o '\B[-]auth\s*/var\S*auth\S*' | cut -d ' ' -f 2)"

# kdm and some others:
# XAUTHORITY="$(find /var/run/xauth/A${DISPLAY}-*|tail -n1)"

# gdm:
# XAUTHORITY="/var/gdm/${DISPLAY}.Xauth"

# slim:
# XAUTHORITY="/var/run/slim.auth"

# lightdm:
# XAUTHORITY="/var/run/lightdm/root/${DISPLAY}"


And as I'm running kdm I took a look at the relevant command.

$ find /var/run/xauth/A${DISPLAY}-*|tail -n1

Aha. Useful.

sudo xauth -f /var/run/xauth/A\:0-xNjOfc  list
#ffff##:  MIT-MAGIC-COOKIE-1  711f067eae4ec73599dc38dbfaa164f0

Oh handy. That hex code is the key you need to access the relevant display :D.

$ xterm
Invalid MIT-MAGIC-COOKIE-1 key
xterm: Xt error: Can't open display: %s
$ xauth add :0 MIT-MAGIC-COOKIE-1 700f067eae4ec73599dc38dbe7a164f1
$ xterm 
$ # success!

Putting it all together

Here's a blob of shell script I have in /root/.bash_profile:
setup_xauth() {
 authfile=$( echo /var/run/xauth/A${DISPLAY}-* );
 if [ -z "${DISPLAY}" ]; then
 if [ ! -f $authfile ]; then
 if [ ! -s $authfile ]; then
 authtoken=$( xauth -f "$authfile"  nlist | cut -d" " -f 9 );
 xauth add $DISPLAY MIT-MAGIC-COOKIE-1 $authtoken


Note, its essential that you check for read access to the file, especially if you plan on using this in a non-root users profile code.

If xauth can't read the authfile, it will just block and do nothing, and this is very bad to have in your profile.

Additionally, due to this being defined as a function, all roots shells will have a convenience function 'setup_xauth' that you can call at any time in the event you've had to change $DISPLAY, or in the event you want to access a local X display from a VT

export DISPLAY=:0
gvim # gvim launches on :0 


  1. This comment has been removed by the author.

  2. Entered code above in .bash_profile, restarted xterm window (under cygwin) and entered the export and setup_xauth commands, then tried gvim and I still get the "child process error failed to start the GUI" error.
    Nothing seems to work. I also have the correct Cygwin/X stuff installed.

    1. I'm not sure its the same with cygwin. And of course, if you entered that code in your bash profile, it relies of course on the relevant xauth file being where I think it is, and it might be somehwere else.

      You will have to track down the real location of the xauth database and use that, assuming it works the same. Sorry I'm not more helpful. ( And sorry for the slow reply, just found this in the moderation queue )