"su -" problem.

classic Classic list List threaded Threaded
63 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

"su -" problem.

Carlos E. R.-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

This is a problem I hit on some computers only.

I "su -" from my normal user on a terminal under xfce. Then I try to start
any graphical tool, and it fails:

~# xeyes
Error: can't open display
~#

If I instead use "ssh -X root@localhost" it usually works.

This has happened to me on several computers along several years - but not
all of them.

Ideas?

- --
Cheers

  Carlos E. R.
  (from 42.2 x86_64 "Malachite" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlogj6sACgkQtTMYHG2NR9W+eQCePRN8ptUoc5at81qylidoR24J
jhQAn0WnS3dm/5NxStrZJ+xnR+6YxlV3
=ZTC2
-----END PGP SIGNATURE-----

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

Andrei Borzenkov
01.12.2017 02:09, Carlos E. R. пишет:

>
> Hi,
>
> This is a problem I hit on some computers only.
>
> I "su -" from my normal user on a terminal under xfce. Then I try to
> start any graphical tool, and it fails:
>
> ~# xeyes
> Error: can't open display
> ~#
>
> If I instead use "ssh -X root@localhost" it usually works.
>
> This has happened to me on several computers along several years - but
> not all of them.
>
> Ideas?
>
man 7 Xsecurity
man pam_xauth


signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

Carlos E. R.-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Friday, 2017-12-01 at 06:32 +0300, Andrei Borzenkov wrote:

> 01.12.2017 02:09, Carlos E. R. пишет:
>>
>> Hi,
>>
>> This is a problem I hit on some computers only.
>>
>> I "su -" from my normal user on a terminal under xfce. Then I try to
>> start any graphical tool, and it fails:
>>
>> ~# xeyes
>> Error: can't open display
>> ~#
>>
>> If I instead use "ssh -X root@localhost" it usually works.
>>
>> This has happened to me on several computers along several years - but
>> not all of them.
>>
>> Ideas?
>>
>
> man 7 Xsecurity
> man pam_xauth
I never touch those things, specially pam, they are at defaults.
Anyway:

cer@Telcontar:~> man 7 Xsecurity
No manual entry for Xsecurity in section 7
cer@Telcontar:~>
cer@Telcontar:~> apropos xsecurity
xsecurity: nothing appropriate.
cer@Telcontar:~>

- --
Cheers,
        Carlos E. R.
        (from openSUSE 42.2 x86_64 "Malachite" at Telcontar)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlohZAwACgkQtTMYHG2NR9XJXACfaZGCFyTjkXqaRsiz3hnTUMCS
s0kAnRsLbxnl2TTsCxVuQ7EY3A8MMcPL
=T5uw
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

L A Walsh
In reply to this post by Carlos E. R.-2
Carlos E. R. wrote:
> I "su -" from my normal user on a terminal under xfce. Then I try to start
> any graphical tool, and it fails:
>
> ~# xeyes
> Error: can't open display
>  
---
    Is there a reason you used "su - xxx" instead of "su xxx" or
"sudo xxx"?

    su - clears most of your ENV vars.  It doesn't clear TERM,
but DISPLAY and REMOTEHOST weren't around when that decision was
made.  You'll need to reset your DISPLAY value to whatever it was
before you did the "su - xxx" or just 'su xxx' or a properly configured
sudo.

> ~#
>
> If I instead use "ssh -X root@localhost" it usually works.
>  
ssh came along after DISPLAY, so it's one that is passed -- especially
when you use the -X".



--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

Carlos E. R.-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Friday, 2017-12-01 at 10:57 -0800, L A Walsh wrote:

> Carlos E. R. wrote:
>>  I "su -" from my normal user on a terminal under xfce. Then I try to start
>>  any graphical tool, and it fails:
>>
>> ~ # xeyes
>>  Error: can't open display
>>
> ---
>   Is there a reason you used "su - xxx" instead of "su xxx" or
> "sudo xxx"?

I never use sudo. In my machine it only works for those commands I
explictly allow.

And "su -" because it is more similar to login, sets the home directory
for instance.

In this machine, it works fine. On some others, if fails with X. And only
on some others.

>   su - clears most of your ENV vars.  It doesn't clear TERM,
> but DISPLAY and REMOTEHOST weren't around when that decision was
> made.  You'll need to reset your DISPLAY value to whatever it was
> before you did the "su - xxx" or just 'su xxx' or a properly configured
> sudo.

Ah, I'll try. [...] No, doesn't work, same error.
Plain "su" does work, though.

>
>> ~ #
>>
>>  If I instead use "ssh -X root@localhost" it usually works.
>>
> ssh came along after DISPLAY, so it's one that is passed -- especially
> when you use the -X".

Ah.

- --
Cheers,
        Carlos E. R.
        (from openSUSE 42.2 x86_64 "Malachite" at Telcontar)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAloh6FsACgkQtTMYHG2NR9XmzwCfYB/pI02e4TIW3J7bPzA90gp/
kCwAoImsTuB+gu9rgcB6yk1lHXMvGgbK
=Ob9a
-----END PGP SIGNATURE-----

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

Basil Chupin-2
In reply to this post by L A Walsh
On 02/12/17 05:57, L A Walsh wrote:

> Carlos E. R. wrote:
>> I "su -" from my normal user on a terminal under xfce. Then I try to
>> start any graphical tool, and it fails:
>>
>> ~# xeyes
>> Error: can't open display
>>  
> ---
>    Is there a reason you used "su - xxx" instead of "su xxx" or
> "sudo xxx"?
>
>    su - clears most of your ENV vars.  It doesn't clear TERM,
> but DISPLAY and REMOTEHOST weren't around when that decision was
> made.  You'll need to reset your DISPLAY value to whatever it was
> before you did the "su - xxx" or just 'su xxx' or a properly configured
> sudo.
>
>> ~#
>>
>> If I instead use "ssh -X root@localhost" it usually works.
>>  
> ssh came along after DISPLAY, so it's one that is passed -- especially
> when you use the -X".

Welcome back, Linda.

The circumstances surrounding your return will never be forgotten.

BC

--
"You should never argue about politics or religion. Or anything else
if you're going to come out with crap like that."
                                              Anonymous circa 2013



--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

Peter Suetterlin
In reply to this post by Carlos E. R.-2
Carlos E. R. wrote:

> This is a problem I hit on some computers only.
>
> I "su -" from my normal user on a terminal under xfce. Then I try to start
> any graphical tool, and it fails:
>
> ~# xeyes
> Error: can't open display
> ~#
>
> If I instead use "ssh -X root@localhost" it usually works.
>
> This has happened to me on several computers along several years - but not
> all of them.
>
> Ideas?

cat /etc/pamd/su
auth     sufficient     pam_rootok.so
auth     include        common-auth
account  sufficient     pam_rootok.so
account  include        common-account
password include        common-password
session  include        common-session
session  optional       pam_xauth.so

Guess the last line is missing on the hosts where it doesn't work?

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

ellanios82
In reply to this post by Basil Chupin-2
On 02/12/17 02:45, Basil Chupin wrote:
> Welcome back, Linda


Welcome back, Linda


......
  regards


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

Carlos E. R.-2
In reply to this post by Peter Suetterlin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Saturday, 2017-12-02 at 13:13 -0000, pit wrote:

> Carlos E. R. wrote:
>
...

>> Ideas?
>
> cat /etc/pamd/su
> auth     sufficient     pam_rootok.so
> auth     include        common-auth
> account  sufficient     pam_rootok.so
> account  include        common-account
> password include        common-password
> session  include        common-session
> session  optional       pam_xauth.so
>
> Guess the last line is missing on the hosts where it doesn't work?

Isengard:~ # cat /etc/pam.d/su
#%PAM-1.0
auth     sufficient     pam_rootok.so
auth     include        common-auth
account  sufficient     pam_rootok.so
account  include        common-account
password include        common-password
session  include        common-session
session  optional       pam_xauth.so
Isengard:~ #

No... :-(

And the one that works has the same.

- --
Cheers,
        Carlos E. R.
        (from openSUSE 42.2 x86_64 "Malachite" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAloj/p4ACgkQtTMYHG2NR9UYTgCgmRPvv0SJSX6m2K/vVoUZBjb7
sREAoIoykPU+hTYrzrkWJ69C+iGpfWMu
=/nOK
-----END PGP SIGNATURE-----

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

Andrei Borzenkov
03.12.2017 16:39, Carlos E. R. пишет:

>
>
> On Saturday, 2017-12-02 at 13:13 -0000, pit wrote:
>
>> Carlos E. R. wrote:
>
> ...
>
>>> Ideas?
>
>> cat /etc/pamd/su
>> auth     sufficient     pam_rootok.so
>> auth     include        common-auth
>> account  sufficient     pam_rootok.so
>> account  include        common-account
>> password include        common-password
>> session  include        common-session
>> session  optional       pam_xauth.so
>
>> Guess the last line is missing on the hosts where it doesn't work?
>
> Isengard:~ # cat /etc/pam.d/su
"su -" is using su-l PAM service.

> #%PAM-1.0
> auth     sufficient     pam_rootok.so
> auth     include        common-auth
> account  sufficient     pam_rootok.so
> account  include        common-account
> password include        common-password
> session  include        common-session
> session  optional       pam_xauth.so
> Isengard:~ #
>
> No... :-(
>
> And the one that works has the same.
>
> -- Cheers,
>        Carlos E. R.
>        (from openSUSE 42.2 x86_64 "Malachite" at Telcontar)
>


signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

Carlos E. R.-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Sunday, 2017-12-03 at 16:56 +0300, Andrei Borzenkov wrote:

> 03.12.2017 16:39, Carlos E. R. пишет:
>> On Saturday, 2017-12-02 at 13:13 -0000, pit wrote:

> "su -" is using su-l PAM service.

Ah, thanks.

Not working:

Isengard:~ # cat /etc/pam.d/su-l
#%PAM-1.0
auth     sufficient     pam_rootok.so
auth     include        common-auth
account  sufficient     pam_rootok.so
account  include        common-account
password include        common-password
session  include        common-session
session  optional       pam_xauth.so
Isengard:~ #

Working:

cer@Telcontar:~> cat /etc/pam.d/su-l
#%PAM-1.0
auth     sufficient     pam_rootok.so
auth     include        common-auth
account  sufficient     pam_rootok.so
account  include        common-account
password include        common-password
session  include        common-session
session  optional       pam_xauth.so
cer@Telcontar:~>


I don't see (visually) any difference :-?


- --
Cheers,
        Carlos E. R.
        (from openSUSE 42.2 x86_64 "Malachite" at Telcontar)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlokA3wACgkQtTMYHG2NR9U4LACeNkYtyp/eK7ld0UJCHEHB+495
79oAn3jXMEl4AoOf28DDgOgwHzhRetsO
=f7Dp
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

Peter Suetterlin
Carlos E. R. wrote:

> I don't see (visually) any difference :-?

Well, then go back to his first suggestion:  man pam_xauth :D

In detail, try putting the 'debug' option in /etc/pam.d/su-l:

session  optional       pam_xauth.so debug

and check the syslog.  Does any of the user/root directories involved have a
~/.xauth directory?  From the manpage:


       pam_xauth will only forward keys if xauth can list a key connected to the $DISPLAY environment variable.

       Primitive access control is provided by ~/.xauth/export in the invoking user's home directory and ~/.xauth/import in the target user's
       home directory.

       If a user has a ~/.xauth/import file, the user will only receive cookies from users listed in the file. If there is no ~/.xauth/import
       file, the user will accept cookies from any other user.


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

Andrei Borzenkov
In reply to this post by Carlos E. R.-2
03.12.2017 17:00, Carlos E. R. пишет:

>
>
> On Sunday, 2017-12-03 at 16:56 +0300, Andrei Borzenkov wrote:
>
>> 03.12.2017 16:39, Carlos E. R. пишет:
>>> On Saturday, 2017-12-02 at 13:13 -0000, pit wrote:
>
>> "su -" is using su-l PAM service.
>
> Ah, thanks.
>
> Not working:
>
> Isengard:~ # cat /etc/pam.d/su-l
> #%PAM-1.0
> auth     sufficient     pam_rootok.so
> auth     include        common-auth
> account  sufficient     pam_rootok.so
> account  include        common-account
> password include        common-password
> session  include        common-session
> session  optional       pam_xauth.so
> Isengard:~ #
>
> Working:
>
> cer@Telcontar:~> cat /etc/pam.d/su-l
> #%PAM-1.0
> auth     sufficient     pam_rootok.so
> auth     include        common-auth
> account  sufficient     pam_rootok.so
> account  include        common-account
> password include        common-password
> session  include        common-session
> session  optional       pam_xauth.so
> cer@Telcontar:~>
>
>
> I don't see (visually) any difference :-?
>
Well, add "debug" parameter to pam_xauth.so to see what it does in each
case. You original (truncated) error message imply $DISPLAY is empty and
in normal case pam_xauth is the only module that forwards it.


signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

Carlos E. R.-2
In reply to this post by Peter Suetterlin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Sunday, 2017-12-03 at 15:47 -0000, pit wrote:
> Carlos E. R. wrote:
>
>> I don't see (visually) any difference :-?
>
> Well, then go back to his first suggestion:  man pam_xauth :D
>
> In detail, try putting the 'debug' option in /etc/pam.d/su-l:
>
> session  optional       pam_xauth.so debug

I could try that...

> and check the syslog.  Does any of the user/root directories involved have a
> ~/.xauth directory?  From the manpage:
>
>
>       pam_xauth will only forward keys if xauth can list a key connected to the $DISPLAY environment variable.
>
>       Primitive access control is provided by ~/.xauth/export in the invoking user's home directory and ~/.xauth/import in the target user's
>       home directory.
>
>       If a user has a ~/.xauth/import file, the user will only receive cookies from users listed in the file. If there is no ~/.xauth/import
>       file, the user will accept cookies from any other user.

In the computer that works, there is no ~/.xauth/ directory. Same in the
computer that does not work.

- --
Cheers,
        Carlos E. R.
        (from openSUSE 42.2 x86_64 "Malachite" at Telcontar)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlokXWUACgkQtTMYHG2NR9V7fQCeOpsSeB8M3Ad1O1lUuPFFva03
wt8An3luZK5VLZAI4QbRgJKpJKUa2BS9
=cplz
-----END PGP SIGNATURE-----

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

Carlos E. R.-2
In reply to this post by Andrei Borzenkov
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Sunday, 2017-12-03 at 19:19 +0300, Andrei Borzenkov wrote:

> 03.12.2017 17:00, Carlos E. R. пишет:
>>
>>
>> On Sunday, 2017-12-03 at 16:56 +0300, Andrei Borzenkov wrote:
>>
>>> 03.12.2017 16:39, Carlos E. R. пишет:
>>>> On Saturday, 2017-12-02 at 13:13 -0000, pit wrote:
>>
>>> "su -" is using su-l PAM service.
>>
>> Ah, thanks.
>>
>> Not working:
>>
>> Isengard:~ # cat /etc/pam.d/su-l
>> #%PAM-1.0
>> auth     sufficient     pam_rootok.so
>> auth     include        common-auth
>> account  sufficient     pam_rootok.so
>> account  include        common-account
>> password include        common-password
>> session  include        common-session
>> session  optional       pam_xauth.so
>> Isengard:~ #
>>
>> Working:
>>
>> cer@Telcontar:~> cat /etc/pam.d/su-l
>> #%PAM-1.0
>> auth     sufficient     pam_rootok.so
>> auth     include        common-auth
>> account  sufficient     pam_rootok.so
>> account  include        common-account
>> password include        common-password
>> session  include        common-session
>> session  optional       pam_xauth.so
>> cer@Telcontar:~>
>>
>>
>> I don't see (visually) any difference :-?
>>
>
> Well, add "debug" parameter to pam_xauth.so to see what it does in each
> case. You original (truncated) error message imply $DISPLAY is empty and
> in normal case pam_xauth is the only module that forwards it.
Yes, DISPLAY is empty in the machine that works. I did not paste output
from that machine into the mail list because that machine doesn't have
email configured, it has its own keyboard, I was trying locally on it.
Thus I hand copied the error message.

Writing the debug option now. [...] This is the log section:

<10.3> 2017-12-03T21:28:25.068246+01:00 Isengard su - - -  The gnome keyring socket is not owned with the same credentials as the user login: /run/user/1000/keyring/control
<10.3> 2017-12-03T21:28:25.068801+01:00 Isengard su - - -  gkr-pam: couldn't unlock the login keyring.
<4.5> 2017-12-03T21:28:25.085723+01:00 Isengard su - - -  (to root) cer on pts/12
<10.6> 2017-12-03T21:28:25.086657+01:00 Isengard su - - -  pam_unix(su-l:session): session opened for user root by (uid=1000)
<10.7> 2017-12-03T21:28:25.089408+01:00 Isengard su - - -  pam_systemd(su-l:session): Cannot create session: Already running in a session
<10.7> 2017-12-03T21:28:25.089928+01:00 Isengard su - - -  pam_xauth(su-l:session): requesting user 1000/100, target user 0/0
<10.7> 2017-12-03T21:28:25.092222+01:00 Isengard su - - -  pam_xauth(su-l:session): /home/cer/.xauth/export does not exist, ignoring
<10.7> 2017-12-03T21:28:25.092723+01:00 Isengard su - - -  pam_xauth(su-l:session): /root/.xauth/import does not exist, ignoring
<10.7> 2017-12-03T21:28:25.093107+01:00 Isengard su - - -  pam_xauth(su-l:session): reading keys from `/home/cer/.Xauthority'
<10.7> 2017-12-03T21:28:25.093395+01:00 Isengard su - - -  pam_xauth(su-l:session): running "/usr/bin/xauth -f /home/cer/.Xauthority nlist :0.0" as 1000/100
<10.7> 2017-12-03T21:28:25.094920+01:00 Isengard su - - -  pam_xauth(su-l:session): no key

I'll now try on the machine that does work:

<10.3> 2017-12-03 21:30:35 Telcontar su - - -  The gnome keyring socket is not owned with the same credentials as the user login: /run/user/1000/keyring/control
<10.3> 2017-12-03 21:30:35 Telcontar su - - -  gkr-pam: couldn't unlock the login keyring.
<4.5> 2017-12-03 21:30:35 Telcontar su - - -  (to root) cer on pts/37
<10.6> 2017-12-03 21:30:35 Telcontar su - - -  pam_unix(su-l:session): session opened for user root by (uid=1000)
<10.7> 2017-12-03 21:30:35 Telcontar su - - -  pam_systemd(su-l:session): Cannot create session: Already running in a session
<10.7> 2017-12-03 21:30:35 Telcontar su - - -  pam_xauth(su-l:session): requesting user 1000/100, target user 0/0
<10.7> 2017-12-03 21:30:35 Telcontar su - - -  pam_xauth(su-l:session): /home/cer/.xauth/export does not exist, ignoring
<10.7> 2017-12-03 21:30:35 Telcontar su - - -  pam_xauth(su-l:session): /root/.xauth/import does not exist, ignoring
<10.7> 2017-12-03 21:30:35 Telcontar su - - -  pam_xauth(su-l:session): reading keys from `/home/cer/.Xauthority'
<10.7> 2017-12-03 21:30:35 Telcontar su - - -  pam_xauth(su-l:session): running "/usr/bin/xauth -f /home/cer/.Xauthority nlist :0.0" as 1000/100
<10.7> 2017-12-03 21:30:35 Telcontar su - - -  pam_xauth(su-l:session): writing key `0100 0009 54656c636f6e746172 0001 30 0012 4d49542d4d414749432d434f4f4b49452d31 0010 49ca804d6fcdeb415f7c48dfe678ebfc#012' to temporary file `/root/.xauthHPgge6'
<10.7> 2017-12-03 21:30:35 Telcontar su - - -  pam_xauth(su-l:session): running "/usr/bin/xauth -f /root/.xauthHPgge6 nmerge -" as 0/0

cer@Isengard:~> l .Xauthority
- -rw------- 1 cer users 206 Dec  3 21:23 .Xauthority
cer@Isengard:~>

cer@Telcontar:~> l  .Xauthority
- -rw------- 1 cer users 898 Nov 15 02:37 .Xauthority
cer@Telcontar:~>

I see that on Telcontar a ky is written, and on Isengard it isn't (says
"no key"). Then it runs xauth again on Telcontar (the one that works)
But I have no idea how to interpret the log, though.

- --
Cheers,
        Carlos E. R.
        (from openSUSE 42.2 x86_64 "Malachite" at Telcontar)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlokYN4ACgkQtTMYHG2NR9VA0ACfW+08PaEziQ1GKL7vHTeuMG7s
DaoAnA9R4SX6c89bAD+ligdeIIdvLlTv
=zk5b
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

Andrei Borzenkov
03.12.2017 23:38, Carlos E. R. пишет:
> <10.7> 2017-12-03T21:28:25.093395+01:00 Isengard su - - -
> pam_xauth(su-l:session): running "/usr/bin/xauth -f
> /home/cer/.Xauthority nlist :0.0" as 1000/100
> <10.7> 2017-12-03T21:28:25.094920+01:00 Isengard su - - -
> pam_xauth(su-l:session): no key
>
...
>
> cer@Isengard:~> l .Xauthority
> -rw------- 1 cer users 206 Dec  3 21:23 .Xauthority
> cer@Isengard:~>
>

what

echo $DISPLAY
xauth list

say here?


signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

Carlos E. R.-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Monday, 2017-12-04 at 06:24 +0300, Andrei Borzenkov wrote:

> 03.12.2017 23:38, Carlos E. R. пишет:
>> <10.7> 2017-12-03T21:28:25.093395+01:00 Isengard su - - -
>> pam_xauth(su-l:session): running "/usr/bin/xauth -f
>> /home/cer/.Xauthority nlist :0.0" as 1000/100
>> <10.7> 2017-12-03T21:28:25.094920+01:00 Isengard su - - -
>> pam_xauth(su-l:session): no key
>>
> ...
>>
>> cer@Isengard:~> l .Xauthority
>> -rw------- 1 cer users 206 Dec  3 21:23 .Xauthority
>> cer@Isengard:~>
>>
>
> what
>
> echo $DISPLAY
empty

> xauth list
>
> say here?
>
>
Isengard:~ # cat p

Isengard/unix:16  MIT-MAGIC-COOKIE-1  6028e808083df347485be0017d5ed244
Isengard/unix:17  MIT-MAGIC-COOKIE-1  4b4c547ea3bc186f7a0cdf0e22559d3d
Isengard/unix:14  MIT-MAGIC-COOKIE-1  dabb5afa723277cc3431923b0f8fe39a
Isengard/unix:11  MIT-MAGIC-COOKIE-1  0faa05f1092b346671b0a60971279e0a
Isengard/unix:12  MIT-MAGIC-COOKIE-1  ff4a728282551684174a6e87ea761625
Isengard:~ #


(I did
  echo $DISPLAY > p
  xauth list >> p
to get it - there is no email on that machine)


Whereas on telcontar I get:

Telcontar:~ # echo $DISPLAY
:0.0
Telcontar:~ # xauth list
Telcontar/unix:0  MIT-MAGIC-COOKIE-1  49ca804d6fcdeb415f7c48dfe678ebfc
Telcontar:~ #

- --
Cheers,
        Carlos E. R.
        (from openSUSE 42.2 x86_64 "Malachite" at Telcontar)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlokyLgACgkQtTMYHG2NR9VfCgCeJi2hr7QjcpHR24iiTSOzDCbX
MKwAn3y3zjg9pqRYNWY5aH+lIwXIBncn
=kfO6
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

Andrei Borzenkov
04.12.2017 07:01, Carlos E. R. пишет:

>
>
> On Monday, 2017-12-04 at 06:24 +0300, Andrei Borzenkov wrote:
>
>> 03.12.2017 23:38, Carlos E. R. пишет:
>>> <10.7> 2017-12-03T21:28:25.093395+01:00 Isengard su - - -
>>> pam_xauth(su-l:session): running "/usr/bin/xauth -f
>>> /home/cer/.Xauthority nlist :0.0" as 1000/100
>>> <10.7> 2017-12-03T21:28:25.094920+01:00 Isengard su - - -
>>> pam_xauth(su-l:session): no key
>>>
>> ...
>>>
>>> cer@Isengard:~> l .Xauthority
>>> -rw------- 1 cer users 206 Dec  3 21:23 .Xauthority
>>> cer@Isengard:~>
>>>
>
>> what
>
>> echo $DISPLAY
>
Sorry? You are doing it in X11 session, are not you?

> empty
>
>> xauth list
>
>> say here?
>
>
> Isengard:~ # cat p
>
> Isengard/unix:16  MIT-MAGIC-COOKIE-1  6028e808083df347485be0017d5ed244
> Isengard/unix:17  MIT-MAGIC-COOKIE-1  4b4c547ea3bc186f7a0cdf0e22559d3d
> Isengard/unix:14  MIT-MAGIC-COOKIE-1  dabb5afa723277cc3431923b0f8fe39a
> Isengard/unix:11  MIT-MAGIC-COOKIE-1  0faa05f1092b346671b0a60971279e0a
> Isengard/unix:12  MIT-MAGIC-COOKIE-1  ff4a728282551684174a6e87ea761625
> Isengard:~ #
>


signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: addressing email to poster if talking to poster.

L A Walsh
In reply to this post by ellanios82
ellanios82 wrote:
> On 02/12/17 02:45, Basil Chupin wrote:
>  
>> Welcome back, Linda
>>
>> Welcome back, Linda
>>   regards
>>    

Thanks... Now if I could only get people to Cc the person they
are addressing, I would see these soon after they were sent
vs. some time later...when they go to group, they get filed
in my opensuse group folder vs. when addressed to me, they
go to the "addressed_to_me" folder which gets about 5x more
often.

Email is much more like conversation than a book...  When you
are in a group and someone says something that you specifically
answer, don't you usually look at them when talking to them?

:-)

(it is in the email "standards"  ... *str8t face*).



--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: "su -" problem.

L A Walsh
In reply to this post by Carlos E. R.-2
Carlos E. R. wrote:

>>    
>>> ~ # xeyes
>>>  Error: can't open display
>>>      
>> ---la walsh---:
>>   Is there a reason you used "su - xxx" instead of "su xxx" or
>> "sudo xxx"?
>>    
>
> I never use sudo. In my machine it only works for those commands I
> explictly allow.
>  
----
    To each their own.  I include use of sudo in scripts so
most of the script runs in user-mode, but some commands need
to be run as root.

> And "su -" because it is more similar to login, sets the home directory
> for instance.
>  
Right -- when you login on a terminal, by default, DISPLAY isn't
set, only when you log in on a graphical terminal under X, will it
usually be set.

> In this machine, it works fine. On some others, if fails with X. And only
> on some others.
>
>  
>>   su - clears most of your ENV vars.  It doesn't clear TERM,
>> but DISPLAY and REMOTEHOST weren't around when that decision was
>> made.  You'll need to reset your DISPLAY value to whatever it was
>> before you did the "su - xxx" or just 'su xxx' or a properly configured
>> sudo.
>>    
>
> Ah, I'll try. [...] No, doesn't work, same error.
> Plain "su" does work, though.
>  
----
    Um... now wait a poo -- I would expect it to work with
plain 'su', as it shouldn't clear the ENV.  But if you
check the value of DISPLAY before and after your "su - user",
you'll see it has been cleared.  I suspect you forgot to re-EXPORT
DISPLAY after you set it?

Ishtar:law> echo $DISPLAY
athenae:0
Ishtar:law> su - law
su: ignoring --preserve-environment, it's mutually exclusive with --login
Password:
law> echo
$DISPLAY                                                            
:0
law> xlogo
Error: Can't open display: :0
law> export DISPLAY=athenae:0
law> xlogo &
law> #(no error)

Even my prompt changes with 'su -', as PAM no longer knows you are
logging in from a remote system, so REMOTEHOST
doesn't get set in my "/etc/security/pam_env.conf".  I put my
hostname in my prompt if my prompt setup detects I'm
logging in remotely.

Only when you 1st log in to your system can you see 'REMOTEHOST'
(if there is one).

Thus pointing out the need for pam_env.conf only being called
when you 1st log in to your system.  There needs to be another
"pam_session_env.conf" for reinitializing a session.  I've
seen some people mistakenly try to redefine 'pam_env' as being
something that should be called/session -- which loses
REMOTEHOST & a remote DISPLAY (as pam no longer knows the remote
host -- which is only known on initial contact).


-l


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

1234