Skip to content

X11 forwarding 101

January 24, 2006

I got asked this today:

After I su to root how can I forward an X session over ssh?

This actually hits a huge bug bear of mine, that of people using the xhost command to open up the X server. That is bad but if those same people also have root access well that is just the end. You don’t need to open all of X to get this to work. Here is the shell function I use to achieve this:

function xroot {         xauth extract ${1:-${TMPDIR:-/tmp}/.Xauthority} :${DISPLAY#*:} && \         echo export DISPLAY=:${DISPLAY#*:}  && \         echo export XAUTHORITY=${1:-${TMPDIR:-/tmp}/.Xauthority} } 

This assumes you are using MIT-MAGIC-COOKEI-1 authentication, I dabbled with the SUN-RPC authentication but that requires a fully integrated name space. All the shell function does is use the xauth command to copy the record for the current display from my .Xauthority file into /tmp and then echo the DISPLAY and XAUTHORITY variables so that they can easily be cut and pasted. It does this as typically my .Xauthority file is on an NFS mounted home directory that root can not access.

So here it is in action:

 Sun Microsystems Inc.   SunOS 5.11      snv_30  October 2007 : FSS 1 $; xroot export DISPLAY=:30.0 export XAUTHORITY=/tmp/cg13442/636397/.Xauthority : FSS 2 $; su – kroot Password: Sun Microsystems Inc.   SunOS 5.11      snv_30  October 2007 estale <kroot> # export DISPLAY=:30.0 estale <kroot> # export XAUTHORITY=/tmp/cg13442/636397/.Xauthority estale <kroot> # set -o vi estale <kroot> # xterm -e sleep 10 estale <kroot> #

There is more that the shell function could to to verify that the file it chooses for the .Xauthority is safe, but I don’t need that as I have TMPDIR set to be a directory that no one else has access to.

Tags: topic:[XAUTHORITY] topic:[X11] topic:[ssh] topic:[Solaris]


From → Solaris

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: