Running graphical programs remotely as root
Sometimes when dealing with Linux servers, you find products that require running a graphical installer as root. That’s fine when you have access to the graphical console, and you can do it using various methods, like gnomesu or kdesu. But what happens when you need to run it via SSH?
Let’s assume that you already dealt with the X11 redirection part (e.g. you’re either connecting to the host with “ssh -X” or using Xming under Windows), and the remote SSH server is configured with “X11Forwarding yes” in /etc/ssh/sshd_config.
There are two ways of doing this, temporarily or permanently. Let’s start with the TEMPORARY way, which would be what most people need:
- As soon as you log in, write down the contents DISPLAY variable as the regular (non-priviledged) user:
user@devel4:~> echo $DISPLAY localhost:10.0
- Become root, then export the variable again:
user@devel4:~> sudo su - devel4:~ # export DISPLAY=localhost:10
- copy the Xorg authorization cookie to root’s home directory, then authorize local graphical connections:
devel4:~ # cp /home/user/.Xauthority ~ devel4:~ # xhost +local: non-network local connections being added to access control list
- 4) you may now execute your graphical program as root. You can use “xclock” to test it, as it’s available on all Linux systems by default:
devel4:~ # xclock &
And you should see the xclock window on your desktop.
Now, for the second part: PERMANENTLY allowing users to run graphical programs via SUDO.
Disclaimer: it’s up to the system administrator to decide whether this is allowed or not. It may be terribly insecure, depending on which programs you decide to allow or not. That’s what SUDO is for. Be careful!
- as root, run the “visudo” command. A vi window will open with /etc/sudoers on it. This is useful, as it also checks for syntax errors when you exit and allows you to re-edit it.
- look for the line that reads “Defaults env_reset”, and change it to “Defaults !env_reset”. This tells sudo to never zero out environment variables.
- look for the line that reads “Defaults env_keep =…”, and the word “DISPLAY” to the end of the line (inside the quotes).
- create a new file /etc/profile.d/copycookie.sh with the following content (sorry for spaces, there is no monospaced font here):
=====[ cut here ]===== if [ ! -z $ORIGINALUSER ] && [ $UID -eq 0 ]; then HOMEDIR=`getent passwd $ORIGINALUSER | rev | cut -d\: -f2 | rev` if [ ! -d ${HOMEDIR} ]; then echo "Could not determine the homedir for user $ORIGINALUSER" else echo "Copying Xorg cookie..." cp ${HOMEDIR}/.Xauthority ~ fi fi =====[ cut here ]=====
From now on all users that are allowed to use SUDO will have the proper environment variables and Xorg authorization cookies to run graphical programs as root.
Have fun, and be safe!
Related Articles
Oct 27th, 2022
Get fresh SLE Micro 5.3 docs – all you need to be productive
Jun 21st, 2022
Manage without Disruption: Introducing SUSE Manager 4.3
Run SAP
SUSE for Public Cloud
Security
Comments
It’s work!!! Thanks Erico.
Hi,
“sudo su -” is not allowered in remoter server, How can I Running graphical programs(e.g wireshark) on remoter server.
we already added wireshark as sudo command in sudoer files.
Wireshark REQUIRES root access to capture packets. You might be able to see the Wireshark GUI with “ssh -X”, but you won’t be able to capture anything as a regular user.
again:
I got this error when execute “sudo wireshark” command:
sudo wireshark
X11 connection rejected because of wrong authentication.
Unable to init server: Could not connect: Connection refused
(wireshark:570): Gtk-WARNING **: cannot open display: localhost:12.0
You need to use “ssh -X” to get the proper credentials/environment variables created.