I have the habit of having one user per function (for example customer care is a user, dev is a user and so on). So I’m continuously jumping from one Unix user to another.<\/p>\n
The desktop, however, is one and only one, so I need to forward X authentication from user to user (I’ll explain in a minute).<\/p>\n
In the Redhat days, that wasn’t such a problem, because the system was doing it for me. However, in switching to Ubuntu, I was surprised this feature didn’t hold.<\/p>\n
I give you an example to be more concrete. Let’s say I’ve logged into the desktop as user tof. I can do this:<\/p>\n
\nI have the habit of having one user per function (for example customer care is a user, dev is a user and so on). So I’m continuously jumping from one Unix user to another.<\/p>\n
The desktop, however, is one and only one, so I need to forward X authentication from user to user (I’ll explain in a minute).<\/p>\n
In the Redhat days, that wasn’t such a problem, because the system was doing it for me. However, in switching to Ubuntu, I was surprised this feature didn’t hold.<\/p>\n
I give you an example to be more concrete. Let’s say I’ve logged into the desktop as user tof. I can do this:
\n<\/p>\n
\r\ntof@machine:~$ xload &\r\n<\/pre>\nAnd xload appears on the screen. Nothing sexy. Now, I can switch to user dev, which I do via the user root (so I only have to remember the root password, not every user’s, but I still need to give one password):<\/p>\n
\r\ntof@machine:~$ su -\r\nPassword: ********\r\nroot@machine:~# xload &\r\n<\/pre>\nAnd it’s not working.<\/p>\n
The reasons are
\n* the DISPLAY environment variable must be exported to root’s environment and
\n* the credentials must be exported as well. Credentials are a mean to prevent another user from spying what you’re doing, notably your passwords, by listening to your interactions with the X server.<\/p>\nThere’s a PAM module that can do this automatically for you, but strangely, it isn’t enabled by default in Ubuntu 7 (“Feisty Fawn”).<\/p>\n
So we’ll do this. In \/etc\/pam.d\/su we add:<\/p>\n
\r\nsession optional \/lib\/security\/pam_xauth.so\r\n<\/pre>\nThen we try again:<\/p>\n
\r\ntof@machine:~$ su -\r\nPassword: ********\r\nroot@machine:~# xload &\r\n<\/pre>\nThis time it works ! But we aren’t at the end of the story yet. Now we go to the crm user:<\/p>\n
\r\nroot@machine:~# su - crm\r\ncrm@machine:~$ xload&\r\n<\/pre>\nThat time it doesn’t work. The reason is pam_xauth itself has a small security mechanism, such as when you go from root to another user, this user must be explicitly declared for pam_xauth to forward the X context. So we must add a ~root\/xauth directory with an “export” file, listing the crm user (alternatively, we could disable this mechanism, but a little security doesn’t hurt).<\/p>\n
As root, we type:<\/p>\n
\r\nroot@machine:~# cd\r\nroot@machine:~# mkdir xauth\r\nroot@machine:~# chmod 700 xauth # A little privacy here\r\nroot@machine:~# echo crm >> xauth\/export\r\nroot@machine:~# su - crm\r\ncrm@machine:~$ xload&\r\n<\/pre>\nThat’s it !<\/p>\n","protected":false},"excerpt":{"rendered":"