xauth
is hard
There are many techniques for allowing root ( or any other user ) to open programs on your display.
When not configured to do so, simple things don't work, and there are 2 general results you get:
No previous attempt at getting xauth
based auth to work
> sudo gvim
No protocol specified
E233: cannot open display
E852: The child process failed to start the GUI
No protocol specified
Press ENTER or type command to continue
With Previous attempts at using xauth
based auth
Invalid MIT-MAGIC-COOKIE-1 key
E233: cannot open display
E852: The child process failed to start the GUI
Invalid MIT-MAGIC-COOKIE-1 key
This case occurs I believe due to your X display having a unique authentication key per session.
But your display likely stores an Xauthority database somewhere on disk
I discovered this little gem when looking at some of the code VirtualGL/Bumblebee uses ( because it has to run a secret display as a different user, and that different user has to be able to write to your screen )set_xauth() {
# common case (works in almost all tested environments (except of lightdm)):
XAUTHORITY="$(ps wwax -C X,Xorg -o args= --sort=-stime | grep -m 1 -o '\B[-]auth\s*/var\S*auth\S*' | cut -d ' ' -f 2)"
# kdm and some others:
# XAUTHORITY="$(find /var/run/xauth/A${DISPLAY}-*|tail -n1)"
# gdm:
# XAUTHORITY="/var/gdm/${DISPLAY}.Xauth"
# slim:
# XAUTHORITY="/var/run/slim.auth"
# lightdm:
# XAUTHORITY="/var/run/lightdm/root/${DISPLAY}"
}
And as I'm running
kdm
I took a look at the relevant command.
$ find /var/run/xauth/A${DISPLAY}-*|tail -n1
/var/run/xauth/A:0-xNjOfc
Aha. Useful.
sudo xauth -f /var/run/xauth/A\:0-xNjOfc list
#ffff##: MIT-MAGIC-COOKIE-1 711f067eae4ec73599dc38dbfaa164f0
Oh handy. That hex code is the key you need to access the relevant display :D.
$ xterm
Invalid MIT-MAGIC-COOKIE-1 key
xterm: Xt error: Can't open display: %s
$ xauth add :0 MIT-MAGIC-COOKIE-1 700f067eae4ec73599dc38dbe7a164f1
$ xterm
$ # success!
Putting it all together
Here's a blob of shell script I have in/root/.bash_profile
:setup_xauth() {
authfile=$( echo /var/run/xauth/A${DISPLAY}-* );
if [ -z "${DISPLAY}" ]; then
return
fi
if [ ! -f $authfile ]; then
return;
fi
if [ ! -s $authfile ]; then
return;
fi
authtoken=$( xauth -f "$authfile" nlist | cut -d" " -f 9 );
xauth add $DISPLAY MIT-MAGIC-COOKIE-1 $authtoken
}
setup_xauth;
Note, its essential that you check for read access to the file, especially if you plan on using this in a non-root users profile code.
If
xauth
can't read the authfile, it will just block and do nothing, and this is very bad to have in your profile.Additionally, due to this being defined as a function, all roots shells will have a convenience function 'setup_xauth' that you can call at any time in the event you've had to change
$DISPLAY
, or in the event you want to access a local X display from a VT
export DISPLAY=:0
setup_xauth
gvim # gvim launches on :0