Re: How to transfer X11 auth across sudo invocation

On Feb 28, 8:15 am, "F. Michael Orr" <michael_or...@xxxxxxxxx> wrote:
On Thu, 28 Feb 2008 06:31:04 -0800, david.karr wrote:
On Feb 28, 4:11 am, dsharp <sharp.d...@xxxxxxxxx> wrote:
On Feb 27, 3:47 pm, "david.karr" <davidmichaelk...@xxxxxxxxx> wrote:

I connect from my Windows box to a AIX 5.3 box using SecureCRT, which
allows the transfer of X11 packets to my local box.

When I log in as myself into the box, with my local Cygwin-provided X
server running, I can display windows perfectly fine.

However, if after logging in, I then "sudo" to an administrative
account and then try to run something that tries to display windows,
it says that it can't connect.

I tried doing "env | sort" from both my user account and the
administrative account, to compare the differences. On the admin
shell, I set the following env vars from their value on my user
account:

DISPLAY, SSH_AUTH_SOCK, SSH_CLIENT, SSH_CLIENT, SSH_CONNECTION,
SSH_TTY

However, it still fails to connect. I imagine that one of these
variables is "tied" to my user account somehow, and won't work if I
just copy the value over (probably a good idea :) ).

So, what can I do to facilitate this connection from the admin
account to my local box's X server?

When you say you sudo to an admin account, do you mean "su - root" (or
"su -") ? If so, have you tried omitting the dash in the su command
so you don't replace the DISPLAY variable established by SecureCRT with
root's DISPLAY variable? On my AIX box, if I have a working X tunnel
via SSH to my user account and do "su - " then I get the same results
you get, but if I just "su" then I can run x in the root shell.

Doug

Well, that was promising for a moment.

Apparently my company restricts the non-"-" form more than the "-" form.
I have permission to sudo using "-", but when I do it without it, it
says:

Sorry, user <me> is not allowed to execute '/usr/bin/su <admin>' as
root on <hostname>.

What I have done it to resolve this problem is to write my own wrapper
'su' script in my $HOME/bin directory. The important guts of it are:

I assume you put that in your path before /usr/bin. In any case, this
doesn't work either, because sudo won't let me execute that.

So far, the only way I can get done what I need to get done is to turn
off authentication on the server. I'm not wild about that, but it's
certainly easier than all this xauth manipulation, which still doesn't
appear to work (or at least
.

Relevant Pages

  • Re: Re-Post - "the trust relationship between this workstation and
    ... account is NEW to the workstation. ... needs admin group priv at workstation level. ... only problem is adding a new user account on the station. ... This would be on the DNS server 172.20.100.2 ...
    (microsoft.public.windows.server.active_directory)
  • Re: Avoiding Win2K Pro Printer Server Login
    ... account that is being used on Client1 is not set up on the server. ... For each user account on your client workstations, ...
    (microsoft.public.win2000.printing)
  • Re: SBS shares. Theres no security
    ... Go into the event log on the server, open up the security tab, and montor when you boot that system. ... No, the rogue PC does not have a "local" user account in common with SBS, nor a domain nor Device Account. ...
    (microsoft.public.windows.server.sbs)
  • Re: NT4 Server box fails to logon in upgraded AD Domain
    ... Typically, when I've gotten this error message, I've been able to fix it ... Delete the computer account from the domain. ... > of upgrading to Windows Server 2003 and Exchange Server ... > User account imported from the original NT4 domain, ...
    (microsoft.public.windows.server.migration)
  • Re: oledb command + vfp
    ... iUser/iUSR account for IIS and data pipes. ... The invalid path error comes about from the user, ... rights to the external server. ... Works very well - gets around that user account problem that you've run ...
    (microsoft.public.fox.programmer.exchange)