I have the habit of having one user per function (for example customer care is a user, dev is a user and so on). So I’m continuously jumping from one Unix user to another.
The desktop, however, is one and only one, so I need to forward X authentication from user to user (I’ll explain in a minute).
In the Redhat days, that wasn’t such a problem, because the system was doing it for me. However, in switching to Ubuntu, I was surprised this feature didn’t hold.
I give you an example to be more concrete. Let’s say I’ve logged into the desktop as user tof. I can do this:
I have the habit of having one user per function (for example customer care is a user, dev is a user and so on). So I’m continuously jumping from one Unix user to another.
The desktop, however, is one and only one, so I need to forward X authentication from user to user (I’ll explain in a minute).
In the Redhat days, that wasn’t such a problem, because the system was doing it for me. However, in switching to Ubuntu, I was surprised this feature didn’t hold.
I give you an example to be more concrete. Let’s say I’ve logged into the desktop as user tof. I can do this:
tof@machine:~$ xload &
And xload appears on the screen. Nothing sexy. Now, I can switch to user dev, which I do via the user root (so I only have to remember the root password, not every user’s, but I still need to give one password):
tof@machine:~$ su - Password: ******** root@machine:~# xload &
And it’s not working.
The reasons are
* the DISPLAY environment variable must be exported to root’s environment and
* the credentials must be exported as well. Credentials are a mean to prevent another user from spying what you’re doing, notably your passwords, by listening to your interactions with the X server.
There’s a PAM module that can do this automatically for you, but strangely, it isn’t enabled by default in Ubuntu 7 (“Feisty Fawn”).
So we’ll do this. In /etc/pam.d/su we add:
session optional /lib/security/pam_xauth.so
Then we try again:
tof@machine:~$ su - Password: ******** root@machine:~# xload &
This time it works ! But we aren’t at the end of the story yet. Now we go to the crm user:
root@machine:~# su - crm crm@machine:~$ xload&
That time it doesn’t work. The reason is pam_xauth itself has a small security mechanism, such as when you go from root to another user, this user must be explicitly declared for pam_xauth to forward the X context. So we must add a ~root/xauth directory with an “export” file, listing the crm user (alternatively, we could disable this mechanism, but a little security doesn’t hurt).
As root, we type:
root@machine:~# cd root@machine:~# mkdir xauth root@machine:~# chmod 700 xauth # A little privacy here root@machine:~# echo crm >> xauth/export root@machine:~# su - crm crm@machine:~$ xload&
That’s it !