Monday, June 19, 2006

Problems with sudo and remote connections by ssh

SSH is a great tool that give you security on your terminal sessions. As an improvement, it also provides a way to redirect your X-Windows session througt it, giving you a way to have in a local machine the ability to execute any graphical application.

To work in this way under Windows I use the X-Win32 program, that give you a way to connect to a X-Windows server, and in the latests versions, provides a SSH client (PuTTY) that let you connect using the SSH as descrived above.

The way SSH tunnels the connection is creating a virtual display that redirects the information of the graphical session throught the ssh stablished connection to the client host. That is easy to see if you take a look to the DISPLAY environment variable.

The problem comes when you have opened a remote xterm and now you change of user using commands like sudo or su. That applications erase all the environment variables including DISPLAY.

The workaround is to create an script that passes that information to a new shell. In the following lines I'll detail that script, that I called sudox.

-------------8<--------------------------------------
#!/bin/sh
#
# sudox by jllaurado
#
SHELL=/bin/bash

sudo $SHELL -i -l -c "DISPLAY=$DISPLAY;XAUTHORITY=$HOME/.Xauthority;export DISPLAY XAUTHORITY;$SHELL"
-------------8<--------------------------------------

As you can see, the script executes a bash terminal (you can change the shell to your preferred one), and then export the DISPLAY and XAUTHORITY environment variables.
The first, as explained before, points to the virtual SSH X-Windows display, and the last points to the cookie X-Windows use to control who is allowed to access your own display. That is important, because this script only will work if you change to the user root, because root has access to the .Xauthority file of any user.

Another way to do this is copying the .Xauthority file from the user that executes the sudox script to the home of the new user, but that way to solve the problem give to the new user access to you session also before you leave that shell (you'll have to delete it.