How to get Graphical Applications working with sudo in SLE 10


In SLE 10, the sudo defaults have been modified to enhance security. Unfortunately this means that some things no longer work the same as we have been used to in SLES 9 for instance. One of the main differences is that graphical applications no longer work by default! In most cases, you also want to prompt the user for their password rather than root’s. Both of these are covered below.

So, run visudo and add the following line at the end of the file:

%users ALL=/usr/X11R6/bin/xeyes

and change the authentication method to prompt for the user’s password by commenting out these lines:

#Defaults targetpw    # ask for the password of the target user i.e. root
#ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

and you then try an run xeyes as a normal user, you will see the following:

mark@t43p:~> sudo xeyes
Password or swipe finger:
Error: Can't open display:

This is because SLE 10 clears almost all of the user’s environment variables before starting the new shell as root to ensure that nothing malicious can be passed through.

To fix this is quite simple. Edit the configuration again and find the following line:

Defaults env_reset

Below this line add the following two lines:

Defaults env_keep=DISPLAY
Defaults env_keep+=XAUTHORITY

This instructs sudo to preserve the DISPLAY setting and the security token setting required to write to the display. Save and quit, and try running xeyes again.

mark@t43p:~> sudo xeyes
Password or swipe finger:

xeyes will now watch your every move!

If you want to confirm that xeyes is indeed running as root, try the following:

mark@t43p:~> ps auxx | grep xeyes
root     16116  0.0  0.0   3368  1568 pts/2    S    11:40   0:00 xeyes

Here I have just used xeyes as an example, but the principle should work for any graphical application.

(Visited 1 times, 1 visits today)


  • jmarton says:

    You can always use gnomesu (or kdesu) to launch graphical apps as the root user. For example:

    gnomesu /sbin/yast2

  • MarkCRobinson says:

    Yes, but then you need to know the root password. With sudo configured like this, you have to enter your password not root’s…

  • odie_lif says:

    don’t want my users to know the root password, and still the need to run x-apps sometime…

  • Gianluca says:

    Hi, I tried (from an ssh session as regular user)

    sudo xclock

    but got this error:

    X11 connection rejected because of wrong authentication.
    X11 connection rejected because of wrong authentication.
    Error: Can’t open display: localhost:11.0

  • Leave a Reply

    Your email address will not be published. Required fields are marked *