5

I want to start a second X server from within an already running X session.

Until debian 8 I can edit /etc/X11/Xwrapper.config and change line allowed_users=console to allowed_users=anybody. This allows me as an unprivileged user to run X from within X. X is a setuid wrapper for Xorg.

Things changed in debian 9, X is no longer a setuid wrapper, instead privileges needed by X are ruled by systemd. The file /etc/X11/Xwrapper.config does not exist anymore.

It is possible to restore legacy behaviour with package xserver-xorg-legacy. Then /etc/X11/Xwrapper.config has to contain the lines

allowed_users=anybody
needs_root_rights=yes

Another possibility is to switch to one of tty1...tty6 and to run X with xinit xterm -- :1 vt1 while vt1...vt6 must comply to tty1...tty6. (tty8...tty12 / vt8...vt12 are not available anymore.)

I want to avoid using legacy settings and to avoid switching to console. I want back the possiblity of xinit xterm -- :1 vt8.

How can I setup systemd to allow unprivileged users to start a second X server from within an already running X?

mviereck
  • 2,377
  • 1
  • 18
  • 18
  • I'm not sure this is relevant to your query; have you looked into Xephyr with different permissions? https://en.m.wikipedia.org/wiki/Xephyr – 0xSheepdog Jul 26 '17 at 12:42

1 Answers1

4

I recommend not using xinit, because it is vulnerable. Use startx instead. xinit appears to be written to accept X connections from any user ID, without warning or documentation. startx appears to fix this. I do not know why this situation is tolerated, or how it happened in the first place.

As root:

systemd-run --property PAMName=login \
            --property User=my-user \
            --property StandardInput=tty \
            --property TTYPath=/dev/tty8 \
            sh -c 'chvt 8 && startx /usr/bin/xterm -- :1'

The magic is in defining PAMName=, to open a PAM session, and associating that session with the specific TTY. This gets pam_systemd to do what you want. I spoofed login - though technically you're supposed to define a new PAM "service name" in case it needs some special treatment.

So you can write a script which performs the desired command. Then grant access to run that script as root, using sudo.

If you use SELinux, you'll have to fight that as well.

sourcejedi
  • 48,311
  • 17
  • 143
  • 296
  • Thanks for your comment [here](https://unix.stackexchange.com/questions/556282/how-to-run-startx-from-non-login-e-g-ssh-session-on-linux). I tried your method and it works great! Here's [the script I wrote](http://ix.io/23XE). I'm not sure which of the many duplicates of this question should be closed though – Metamorphic Dec 09 '19 at 13:17