Hello everyone,
I'm just trying to switch the current user and then invoke some X11 application, but this does not work.
On Redhat-based machines this never was a problem and I need this means to keep my axxounts separate from each other for security reasons. E.g., I do
a
'su - bank'
and after loggin in I can invoke
'chromium-browser https://pathtoonlinebanking'
Now I see, that Debian-based Raspbian OS and Ubuntu (23.10) behave very similar, it looks like this:
$ su - test1
Passwort:
$ firefox
Error: no DISPLAY environment variable specified
$ DISPLAY=':0.0' firefox
Authorization required, but no authorization protocol specified
On Raspbian and on Ubuntu the same lets me assume that it was not me to misconfigure something.
Can this be fixed easily? - Thanks!
Best regards,
Markus
Hello everyone,
I'm just trying to switch the current user and then invoke some X11 application, but this does not work.
On Redhat-based machines this never was a problem and I need this means to keep my axxounts separate from each other for security reasons. E.g., I do
a
'su - bank'
and after loggin in I can invoke
'chromium-browser https://pathtoonlinebanking'
Now I see, that Debian-based Raspbian OS and Ubuntu (23.10) behave very similar, it looks like this:
$ su - test1
Passwort:
$ firefox
Error: no DISPLAY environment variable specified
$ DISPLAY=':0.0' firefox
Authorization required, but no authorization protocol specified
On Raspbian and on Ubuntu the same lets me assume that it was not me to misconfigure something.
On 12/8/2023 11:38 AM, Markus Robert Kessler wrote:
$ su - test1
Passwort:
$ firefox
Error: no DISPLAY environment variable specified
$ DISPLAY=':0.0' firefox
Authorization required, but no authorization protocol specified
On Raspbian and on Ubuntu the same lets me assume that it was not me to
misconfigure something.
I believe you need to use xhost to add test1 as authorized to connect.
Hello everyone,
I'm just trying to switch the current user and then invoke some X11 application, but this does not work.
On Redhat-based machines this never was a problem and I need this means to keep my axxounts separate from each other for security reasons. E.g., I do
a
'su - bank'
and after loggin in I can invoke
'chromium-browser https://pathtoonlinebanking'
Now I see, that Debian-based Raspbian OS and Ubuntu (23.10) behave very similar, it looks like this:
$ su - test1
Passwort:
$ firefox
Error: no DISPLAY environment variable specified
$ DISPLAY=':0.0' firefox
Authorization required, but no authorization protocol specified
On Raspbian and on Ubuntu the same lets me assume that it was not me to misconfigure something.
Can this be fixed easily? - Thanks!
Best regards,
Markus
Hello everyone,
I'm just trying to switch the current user and then invoke some X11 application, but this does not work.
On Redhat-based machines this never was a problem and I need this means to keep my axxounts separate from each other for security reasons. E.g., I do
a
'su - bank'
and after loggin in I can invoke
'chromium-browser https://pathtoonlinebanking'
Now I see, that Debian-based Raspbian OS and Ubuntu (23.10) behave very similar, it looks like this:
$ su - test1
Passwort:
$ firefox
Error: no DISPLAY environment variable specified
$ DISPLAY=':0.0' firefox
Authorization required, but no authorization protocol specified
On Raspbian and on Ubuntu the same lets me assume that it was not me to misconfigure something.
Can this be fixed easily? - Thanks!
Best regards,
Markus
make sure xauth is installed.
you'll probably just have to do as your normal user:
xauth list $DISPLAY
then use xauth add that output into your su/sudo user's .Xauthority file
https://www.simplified.guide/ssh/x11-forwarding-as-root
What I found out is, that when switching 'su - newaccount', then
- a file ~/.xauth* (e.g.: .xauthOa9EpX) is automatically created
(by su? by pam?)
- and when either starting x-app like xclock, so this works, or
- deleting this .xauth* and starting x-app, then above error occurs
On 2023-12-08, Markus Robert Kessler <no_reply@dipl-ing-kessler.de>
wrote:
Hello everyone,
I'm just trying to switch the current user and then invoke some X11
application, but this does not work.
On Redhat-based machines this never was a problem and I need this means
to keep my axxounts separate from each other for security reasons.
E.g., I do a
'su - bank'
and after loggin in I can invoke 'chromium-browser
https://pathtoonlinebanking'
Now I see, that Debian-based Raspbian OS and Ubuntu (23.10) behave very
similar, it looks like this:
$ su - test1 Passwort:
$ firefox Error: no DISPLAY environment variable specified
$ DISPLAY=':0.0' firefox Authorization required, but no authorization
protocol specified
On Raspbian and on Ubuntu the same lets me assume that it was not me to
misconfigure something.
Can this be fixed easily? - Thanks!
Best regards,
Markus
It sounds like you're running into the XAUTH system.
Normally, in the home directory of the user who's running X stuff there
is a file called ".Xauthority", and environment variable XAUTHORITY
holds the full, absolute path to that file.
In order for user B to run X clients/apps when user A is the one who
started the X server, user B must set environment variable XAUTHORITY to
a file which user B has permission to read and which has the same
contents as user A's ~/.Xauthority.
How you get that file and environment variable set depends on your use
case. I run my web browsers, gimp, and a few other programs as a
different user for security and a few other reasons. I have wrapper
scripts that do the file copying,
environment variable setting, and environment variable preservation
across sudo and/or su. For the way I do all that,
user B's only reason for existence is to run browsers and such for user
A, and it's important that user A have write permission to user B's home directory by means of the g+w permission bit.
What I found out is, that when switching 'su - newaccount', then
- a file ~/.xauth* (e.g.: .xauthOa9EpX) is automatically created
(by su? by pam?)
On 09/12/2023 11:54, Markus Robert Kessler wrote:
What I found out is, that when switching 'su - newaccount', then
- a file ~/.xauth* (e.g.: .xauthOa9EpX) is automatically created
(by su? by pam?)
- and when either starting x-app like xclock, so this works, or -
deleting this .xauth* and starting x-app, then above error occurs
This suggests that the original problem may have been su'ing to a user
with no home directory, or one that the user has no permissions for, so
this file cannot be created.
I'm just trying to switch the current user and then invoke some X11 application, but this does not work.
On Redhat-based machines this never was a problem and I need this
means to keep my axxounts separate from each other for security
reasons. E.g., I do a
However, that isolation does not exist in the X11 model.
http://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html
On Sat, 9 Dec 2023 12:09:35 +0000 The Natural Philosopher wrote:
On 09/12/2023 11:54, Markus Robert Kessler wrote:
What I found out is, that when switching 'su - newaccount', then
- a file ~/.xauth* (e.g.: .xauthOa9EpX) is automatically created
(by su? by pam?)
- and when either starting x-app like xclock, so this works, or -
deleting this .xauth* and starting x-app, then above error occurs
This suggests that the original problem may have been su'ing to a user
with no home directory, or one that the user has no permissions for, so
this file cannot be created.
Hi, good point, indeed, but on Mageia, where this works, I can switch
freely via su - test... betweeen test* accounts. Directory /home/ lists
like
drwx------ 9 test test 4,0K Dez 9 12:56 test/
drwx------ 2 test1 test1 4,0K Dez 7 16:46 test1/
drwx------ 2 test2 test2 4,0K Nov 4 20:10 test2/
drwx------ 10 test3 test3 4,0K Dez 9 11:24 test3/
drwx------ 2 test4 test4 4,0K Nov 21 14:45 test4/
So, the root cause may be located somewhere else.
Markus Robert Kessler <no_reply@dipl-ing-kessler.de> writes:gui-isolation.html
I'm just trying to switch the current user and then invoke some X11
application, but this does not work.
On Redhat-based machines this never was a problem and I need this means
to keep my axxounts separate from each other for security reasons.
E.g., I do a
It sounds like you’re trying to isolate the web browser that you use for banking websites from other applications in the same login session by
running it under a different user ID.
However, that isolation does not exist in the X11 model.
http://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-
So, it looks like, the only proper approach is to completely log off from
the X11 session instead of su - / x-app, or open a second X11- / desktop session.
Dammit. I read above article and tested on Mageia and on Raspbian.
Assuming same behaviour on Ubuntu.
So, quite slowly, I suspect more and more that Debian based distros are
not enabling su - / x-app right out of the box, by intention.
I already handled with caution to log into online banking during M$ teams meetings, because for audio in-/output they need access to the desktop,
and hence they could take screenshots from other windows like online
banking app.
So, it looks like, the only proper approach is to completely log off from
the X11 session instead of su - / x-app, or open a second X11- / desktop session.
Or shut everything else down while doing private stuff. It's hard
to prevent screen scraping and key logging. If someone can get a keylogger into one account they can probably get it into all accounts.
The underlying -- so called -- problem has been well known and
understood by many in the Unix community for a long time.
In short, don't give untrusted people / apps / things access to your X11 display server.
On 9 Dec 2023 04:37:09 GMT Robert Riches wrote:
On 2023-12-08, Markus Robert Kessler <no_reply@dipl-ing-kessler.de>
wrote:
Hello everyone,
I'm just trying to switch the current user and then invoke some X11
application, but this does not work.
On Redhat-based machines this never was a problem and I need this
means to keep my axxounts separate from each other for security
reasons. E.g., I do a
'su - bank'
and after loggin in I can invoke 'chromium-browser
https://pathtoonlinebanking'
Now I see, that Debian-based Raspbian OS and Ubuntu (23.10) behave
very similar, it looks like this:
$ su - test1 Passwort:
$ firefox Error: no DISPLAY environment variable specified
$ DISPLAY=':0.0' firefox Authorization required, but no authorization
protocol specified
On Raspbian and on Ubuntu the same lets me assume that it was not me
to misconfigure something.
Can this be fixed easily? - Thanks!
Best regards,
Markus
It sounds like you're running into the XAUTH system.
Normally, in the home directory of the user who's running X stuff there
is a file called ".Xauthority", and environment variable XAUTHORITY
holds the full, absolute path to that file.
In order for user B to run X clients/apps when user A is the one who
started the X server, user B must set environment variable XAUTHORITY
to a file which user B has permission to read and which has the same
contents as user A's ~/.Xauthority.
How you get that file and environment variable set depends on your use
case. I run my web browsers, gimp, and a few other programs as a
different user for security and a few other reasons. I have wrapper
scripts that do the file copying,
environment variable setting, and environment variable preservation
across sudo and/or su. For the way I do all that,
user B's only reason for existence is to run browsers and such for user
A, and it's important that user A have write permission to user B's
home directory by means of the g+w permission bit.
Hi,
maybe there's a way around wrapper scripts?
I am wondering, why on Redhat-based systems like Mageia there is no need
for that, instead all this is done in background.
What I found out is, that when switching 'su - newaccount', then
- a file ~/.xauth* (e.g.: .xauthOa9EpX) is automatically created
(by su? by pam?)
- and when either starting x-app like xclock, so this works, or -
deleting this .xauth* and starting x-app, then above error occurs
This looks like su does all this "wrapping" automatically, as long as it
is confugured adequately. Maybe also systemd plays some role here.
Does anyone have more details here?
I am asking, because life would be easier, if this runs automaically :-)
Thanks!
Best regards,
Markus
On 12/9/23 12:57, Ahem A Rivet's Shot wrote:
Or shut everything else down while doing private stuff. It's
hard to prevent screen scraping and key logging. If someone can get a keylogger into one account they can probably get it into all accounts.
Providing any access to an X11 display server is tantamount to a key /
screen logger. It's actually worse than /just/ a logger in that it can
be a writer too.
One way to isolate applications completely would be to run each application in its own VM with its own X11 display (or Wayland) all
displayed in a real X11 display that does nothing but run VNC viewers to
the VMs. Nothing but a minimal window manager that launches VM sessions
runs in the real X11 display. This does require users to be able to launch VMs - preferably ones that cannot be accessed by other users, if needs be a setuid tool could be used I suppose.
Hi everyone,
I have suspected pam authentication already, and in the meantime I
compared Mageia and Raspbian more deeply regarding the entries in /etc/ pam.d.
I found out, that adding this line
session optional pam_xauth.so
to the front of /etc/pam.d/su
solves this issue. I've also tested this on Ubuntu successfully.
Now, after su - newuser, invoking an app for X11, like xclock, makes this window open and working.
Finally, big thanks to all of you for this wonderful and highly
interesting discussion!
Nevertheless, it turned out to be a good idea to always handle X / desktop sessions with care.
Hello everyone,
I'm just trying to switch the current user and then invoke some X11 application, but this does not work.
On Redhat-based machines this never was a problem and I need this means to keep my axxounts separate from each other for security reasons. E.g., I do
a
'su - bank'
and after loggin in I can invoke
'chromium-browser https://pathtoonlinebanking'
Now I see, that Debian-based Raspbian OS and Ubuntu (23.10) behave very similar, it looks like this:
$ su - test1
Passwort:
$ firefox
Error: no DISPLAY environment variable specified
$ DISPLAY=':0.0' firefox
Authorization required, but no authorization protocol specified
On Raspbian and on Ubuntu the same lets me assume that it was not me to misconfigure something.
Can this be fixed easily? - Thanks!
Best regards,
Markus
I may not be understanding correctly, but why not use a different
terminal to access the test1 user?
Ctrl-Alt-F[2345] to get a new terminal, log in as test1 and then run
startx.
This would seem, to me, to give you a completely separate, private, X session.
I stand ready to be corrected.
I may not be understanding correctly, but why not use a different
terminal to access the test1 user?
Ctrl-Alt-F[2345] to get a new terminal, log in as test1 and then run
startx. This would seem, to me, to give you a completely separate,
private, X session.
On 12/10/23 07:49, Chris Elvidge wrote:
I may not be understanding correctly, but why not use a different
terminal to access the test1 user?
Not everybody knows or cares to do that.
Ctrl-Alt-F[2345] to get a new terminal, log in as test1 and then run
startx.
Not all Linux / X11 / WM / DE configurations support doing that.
Not all graphics hardware / X11 servers therefor will support that.
This would seem, to me, to give you a completely separate, private, X
session.
It is much more private.
But it's also more disruptive.
There is likely no way to directly share things like the clipboard
between the multiple X11 sessions.
I stand ready to be corrected.
I'm sure there are ways to overcome many, if not most, of the problems.
But this is an atypical / not out of the box solution that will probably
only be acceptable for a few.
Could it work in the proper configuration, absolutely.
Is your average home system / college starter notebook going to support
it out of the box? I doubt it.
Linux supports terminal switching as standard (AFAIK) - Alt-F[123456]
X11 suports Ctl-Alt-F[123456]
I don't know about Wayland. If it doesn't that's yet another reason to
keep X11.
Obviously this assumes (yes, I know) that your init system supports
multiple terminals.
LMDE and MX Linux (systemd) and Slackware
(init/inittab) do out of the box.
Why would you want to? It's a separate session.
But do you have evidence of that?
On 10/12/2023 15:01, Grant Taylor wrote:
On 12/10/23 07:49, Chris Elvidge wrote:
I may not be understanding correctly, but why not use a different
terminal to access the test1 user?
Not everybody knows or cares to do that.
Ctrl-Alt-F[2345] to get a new terminal, log in as test1 and then run
startx.
Not all Linux / X11 / WM / DE configurations support doing that.
Linux supports terminal switching as standard (AFAIK) - Alt-F[123456]
X11 suports Ctl-Alt-F[123456]
Yes - however there is one important detail. Running startx does
not start an X session on the terminal you run it from, it uses the first free virtual terminal - you can detach startx and logout on the terminal
you start on. Also to run more than one X server you have to pass startx an argument to tell it what display it is if it isn't the default. It's been a long time since I did this and scripted it in a long lost shell function
and I've a feeling there was another fiddly detail but it's all doable, or
at least was several years ago.
ISTR only one X server got access to DRM.
Hello everyone,
I'm just trying to switch the current user and then invoke some X11 application, but this does not work.
On Redhat-based machines this never was a problem and I need this means to keep my axxounts separate from each other for security reasons. E.g., I do
a
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 371 |
Nodes: | 16 (2 / 14) |
Uptime: | 36:56:26 |
Calls: | 7,932 |
Calls today: | 2 |
Files: | 12,998 |
Messages: | 5,805,537 |