How to get Graphical Applications working with sudo in SLE 10
In SLE 10, the sudo defaults have been modified to enhance security. Unfortunately this means that some things no longer work the same as we have been used to in SLES 9 for instance. One of the main differences is that graphical applications no longer work by default! In most cases, you also want to prompt the user for their password rather than root’s. Both of these are covered below.
So, run visudo and add the following line at the end of the file:
%users ALL=/usr/X11R6/bin/xeyes
and change the authentication method to prompt for the user’s password by commenting out these lines:
#Defaults targetpw # ask for the password of the target user i.e. root #ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
and you then try an run xeyes as a normal user, you will see the following:
mark@t43p:~> sudo xeyes Password or swipe finger: Error: Can't open display:
This is because SLE 10 clears almost all of the user’s environment variables before starting the new shell as root to ensure that nothing malicious can be passed through.
To fix this is quite simple. Edit the configuration again and find the following line:
Defaults env_reset
Below this line add the following two lines:
Defaults env_keep=DISPLAY Defaults env_keep+=XAUTHORITY
This instructs sudo to preserve the DISPLAY setting and the security token setting required to write to the display. Save and quit, and try running xeyes again.
mark@t43p:~> sudo xeyes Password or swipe finger:
xeyes will now watch your every move!
If you want to confirm that xeyes is indeed running as root, try the following:
mark@t43p:~> ps auxx | grep xeyes root 16116 0.0 0.0 3368 1568 pts/2 S 11:40 0:00 xeyes
Here I have just used xeyes as an example, but the principle should work for any graphical application.
Comments
You can always use gnomesu (or kdesu) to launch graphical apps as the root user. For example:
gnomesu /sbin/yast2
Yes, but then you need to know the root password. With sudo configured like this, you have to enter your password not root’s…
don’t want my users to know the root password, and still the need to run x-apps sometime…
Hi, I tried (from an ssh session as regular user)
sudo xclock
but got this error:
X11 connection rejected because of wrong authentication.
X11 connection rejected because of wrong authentication.
Error: Can’t open display: localhost:11.0