[ALUG] How to allow another user to run something on my X desktop?

Brett Parker iDunno at sommitrealweird.co.uk
Tue Sep 11 09:58:37 BST 2007 

On Mon, Sep 10, 2007 at 11:50:12PM +0100, Chris G wrote:
> How can I make it possible for another user to run one specific
> program on my desktop?  I don't want to simply remove the X security
> completely, I'd rather do it by some sort of SUID'ish sort of
> approach.
> 
> 
> The first thing I have tried doesn't work though.  I changed the
> ownership of the program in question to be owned by me and set the
> SUID bit:-
> 
>     -rwsr-xr-x 1 chris root 2497525 2007-02-14 18:54 /usr/local/bin/xvile
> 
> I thought that if anyone else executes the program they would
> 'become' chris but it doesn't work.  However thinking about it now
> I suspect that I'd need to add some code to the program to actually
> change the user as well as setting the permissions as above.
> 
> 
> So, is there any other way to get what I want?  I just want another
> user (it's just one user in particular if that makes it easier) to be
> able to run /usr/local/bin/xvile on my X desktop.  It's a home system
> with me as the only real user so there aren't any serious security
> implications, there aren't any unfriendly users.

You're going to need to know your magic cookie, there's going to be a
bit of work involved! What you'll need to do is something along the
lines of (and I suggest using a wrapper script for it):
        
        * First, you're going to need to know where your XAUTHORITY file
          is - I'd suggest making this work something like adding:
                echo $XAUTHORITY > ~/.xauth-filename
          in *your* .xsession or .xinitrc
        * Add to your ~/.ssh/authorized_keys something along the lines
          of:
                command="/usr/local/bin/xvile-chris-wrapper" <ssh public key of other user>
        * Make the wrapper do:
                #!/bin/bash

                export XAUTHORITY=$(<~/.xauth-filename)
                export DISPLAY=:0
                /usr/local/bin/xvile "$@"

Note: that's only half tested... you can generate the .xauth-filename at
any point after login (it's not actually required to be in the
.xsession), also the wrapper probably wants a bit more error checking
(like, err, checking that ~/.xauth-filename exists, and then checking
that the file refered to in $XAUTHORITY exists...)

The command to run for the other user would be:
        ssh chrisg@$hostname /usr/local/bin/xvile-chris-wrapper

Hope that makes some sense - most of that is off the top of my head, so
could be wrong! Also, note that if they can run any apps (which I'm
guessing they'll be able to because it's xvile...) then they can in
effect steal your screen (if they know what they're doing!).

Cheers,
-- 
Brett Parker

More information about the main mailing list