PAM, X11, and su as a normal user?

Matthew Seaman m.seaman at infracaninophile.co.uk
Sat Sep 6 05:03:35 PDT 2003 

On Fri, Sep 05, 2003 at 03:08:22PM -0700, Steven G. Kargl wrote:
> Matthew Seaman wrote:
> > On Fri, Sep 05, 2003 at 12:18:40PM -0700, Steven G. Kargl wrote:
> > > After a few hours of frustation, it's time to ask a question.
> > > 
> > > I have 2 accounts on my machine.  I use startx to start
> > > X11 as user kargl.  If I then su to user sgk, I cannot
> > > fire up X clients.  For example,
> > > 
> > > troutmask:kargl[202] su sgk
> > > Password:
> > > troutmask:sgk[201] gnuplot
> > > Terminal type set to 'x11'
> > > gnuplot> plot sin(x)
> > > gnuplot> 
> > > gnuplot: unable to open display 'troutmask.apl.washington.edu:0'
> > > gnuplot: X11 aborted.
> > > 
> > > I've tried using "xhost sgk@", but this doesn't work.
> > > The only thing I can think of that may need to be
> > > configured is PAM, but the documentation is rather
> > > incomplete.  So, anyone know how to setup su to
> > > permit sgk to use X clients?
> > 
> > As user kargl:
> > 
> >     % xauth nextract /tmp/foo ${DISPLAY}
> > 
> > As user sgk:
> > 
> >     % xauth nmerge /tmp/foo
> > 
> > and remember to delete /tmp/foo as soon as possible.
> > 
> 
> I still get the above results with gnuplot after issuing the
> two xauth commands you give above.  If I use "xauth list"
> with as both users the entry for $DISPLAY shows the same key. 
> 
> troutmask:sgk[246] xauth list
> troutmask.apl.washington.edu:0  MIT-MAGIC-COOKIE-1  some_long_string
> troutmask:kargl[245] xauth list
> troutmask.apl.washington.edu:0  MIT-MAGIC-COOKIE-1  some_long_string
> 
> 
> I suspect that I need to add something to /etc/pam.d/{su,system,xserver},
> but I can't locate adequate documentation.

If all your X sessions are local to you machine (and possibly even if
they aren't), then try setting the DISPLAY variable to :0.0 -- you'll
need to repeat the fun'n'games with xauth to match the new $DISPLAY
setting.

That means that all connections to the X server will take place via
the unix domain socket in /tmp/.X11-unix/ rather than through network
sockets.  This is generally a good move as the default in FreeBSD
nowadays is for the X server not to listen on the network at all.

You can check if your X server is listening on the net by running:

    % netstat -an | grep '\.60[0-6][0-9] '

On a system using the default settings, there won't be any output from
that command.  Ports 6000 -- 6063 are allocated to the X window
system, although generally only the bottom one or two of that range
would ever be used on most personal machines.  Note that port 6010 or
above is generally ssh(1), rather than the X server directly.  ssh(1)
is also the answer to being able to run X clients remotely without
having the X server listening directly on the network, incidentally
having the very welcome benefit of encrypting all of the X network
traffic.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030906/503b38c2/attachment.bin

More information about the freebsd-questions mailing list