[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: sudo support
|
From: |
Paul Smith |
|
Subject: |
Re: sudo support |
|
Date: |
Mon, 20 Oct 2003 15:04:41 -0400 |
> I would really like to put it back, but we need to find out how
> to provide the X authorization magic. We could work on that.
I don't know if this helps, but I wrote the attached script to allow
sudo to invoke X applications. I think it's pretty secure and it
definitely works. I took the basic idea from xrsh, I believe.
The problem with my script is that it's not graphical: I need something
I can invoke from a menu and have it pop up a GUI login prompt if
necessary.
But it should work in situations where a "normal" invocation wouldn't
work, such as when root doesn't have root privileges to the user's home
directory (maybe the home directory is NFS-mounted).
If you have any questions let me know.
#!/bin/sh
#
# This script allows you to use sudo to invoke an X application without
# having to use "xhost +" or "xhost +<hostname>".
#
# It works by sending the MIT-MAGIC-COOKIE value through the sudo
# command. The application then merges it into a private XAUTH file
# before it runs.
#
# Because the application is assumed to be an X app, we redirect its
# stderr (Gnome applications in particular tend to print a lot of crap
# which is very annoying).
#
# Author:
# Paul D. Smith <address@hidden>
xauthdir=/tmp/.xsudo.$$
xauthfile=$xauthdir/.Xauthority
die () {
echo "$@"
exit 1
}
case "$DISPLAY" in
'') die "ERROR: You must set the \$DISPLAY variable before running xsudo." ;;
esac
[ -d $xauthdir ] && die "ERROR: xsudo private directory '$xauthdir' exists!"
# Make sure we clean up after ourselves
cleanup () {
rm -rf $xauthdir
}
trap cleanup 0 1 2 3 10 12 14 15
# Create the private directory for this invocation
mkdir $xauthdir || die "ERROR: cannot create private directory '$xauthdir'!"
chmod 700 $xauthdir || die "ERROR: cannot chmod '$xauthdir'!"
touch $xauthfile || die "ERROR: cannot create file '$xauthfile'!"
chmod 600 $xauthfile || die "ERROR: cannot chmod '$xauthfile'!"
# Give over the cookie. Technically this needs to be done only once per
# X session, but I don't know of any reliable way to manage this? I
# suppose we could invoke the X program and if it fails due to
# permission errors we could do this then retry. But, what's a good way
# to know if it fails... just grabbing the errors? Ouch!
xauth nlist $DISPLAY | XAUTHORITY="$xauthfile" xauth nmerge -
# Now run the command
XAUTHORITY="$xauthfile" sudo "$@"
# It worked; the trap above will clean up for us.
--
-------------------------------------------------------------------------------
Paul D. Smith <address@hidden> HASMAT: HA Software Mthds & Tools
"Please remain calm...I may be mad, but I am a professional." --Mad Scientist
-------------------------------------------------------------------------------
These are my opinions---Nortel Networks takes no responsibility for them.