0

I have to use a home-built tool at my company which requires 'root' privileges.

To make things worse, it's a GUI application. Normally, I wouldn't execute such things, but I don't have much of a choice.

Currently, I am using

xhost + && sudo java -jar servermanager.jar && xhost -

to execute the application. This means though, that for the time java is running, access control to the X-Server is disabled.

Granted, this might not be the worst of security issues, but it still got me wondering whether there is a better timed method to execute xhost - immediately after the application has opened its X connection.

TL;DR: How can I execute a command right after a GUI window has opened?

Toby Speight
  • 8,460
  • 3
  • 26
  • 50
tannerli
  • 101
  • 1
  • If the app doesn't have to open any more windows you might be able to put the app in the background, wait a few seconds for it to start, then call xhost - – Jeff Schaller Feb 18 '16 at 11:40
  • I would have preferred a deterministic trigger but this should work as well... Thank you for the tipp – tannerli Feb 18 '16 at 12:30
  • Is there a pgrep installed? – Jeff Schaller Feb 18 '16 at 13:22
  • 1
    A minor note - if you have `binfmt-misc` installed (Linux), you can associate Jar files to their interpreter (and most distros will do that by default). So `chmod +x servermanager.jar` and then you should be able to simply execute `./servermanager.jar`. – Toby Speight Feb 18 '16 at 15:11
  • This sounds like an [XY problem](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). Why do you want to run `xhost +`? This is not necessary to run an X application as root. See [Can I launch a graphical program on another user's desktop as root?](http://unix.stackexchange.com/questions/1596/can-i-launch-a-graphical-program-on-another-users-desktop-as-root) – Gilles 'SO- stop being evil' Feb 18 '16 at 21:34
  • @gilles it is indeed an XY problem... best would be if our tool ran as normal user in the first place and elevate privileges as needed, but I see your point – tannerli Feb 19 '16 at 07:09

3 Answers3

1

Local X server

If your X server is local (i.e. Unix socket connection rather than TCP), you could be more fine-grained, and allow only that specific local user:

xhost +SI:localuser:root

X over SSH

If not, you might consider allowing direct SSH to root (using public-key authentication), with X forwarded over this secured connection, and using this as a replacement for your sudo invocation:

ssh -X -f root@localhost java -jar servermanager.jar

.Xauthority and sudo

Assuming root can read your .Xauthority file (likely, unless your home dir is on NFS), then you may find that simply putting XAUTHORITY=$HOME/.Xauthority¹ in the environment of the command run within sudo will allow it to connect:

XAUTHORITY="${XAUTHORITY-$HOME/.Xauthority}" \
  sudo -E java -jar servermanager.jar

If sudo is configured to not allow passing XAUTHORITY, you could explicitly export the token:

.Xauthority and xauth

xauth extract - $DISPLAY | sudo bash -c \
  "xauth merge - && java -jar servermanager.jar"

¹$HOME here is the user's home directory, not root's.

Toby Speight
  • 8,460
  • 3
  • 26
  • 50
0

I put the following in my ~/.bash_aliases

   smg(){
     xhost + 
     sudo echo "Starting servermanager" #To get sudo prompt in fg
     sudo java -jar ~/downloads/servermanager.jar 2>/dev/null &
     sleep 5
     xhost -
    }
tannerli
  • 101
  • 1
0

If you have pgrep installed, you could make it more deterministic with something like:

smg(){
  xhost + 
  sudo echo "Starting servermanager" #To get sudo prompt in fg
  sudo java -jar ~/downloads/servermanager.jar 2>/dev/null &
  while  ! pgrep -l servermanager.jar > /dev/null ; do :; done
  xhost -
}

... depending on what the final process name ends up being. If it turns out to fire too quickly, you could always keep a small sleep after the while loop.

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250