How to run graphical applications with su or sudo

In this blogpost I’ll describe how to run graphical applications under a different user account in your current desktop session (i.e. without fast user switching). It involves some fiddling with the system configuration, this is not intended for general users without advanced system knowledge. The instructions are created for Fedora 18.

Everything mentioned here was discovered through a trial-and-error approach, I don’t have any expertise in this area. Some of the advice might not be fully correct. I have talked to a few qualified people and I was told that Linux doesn’t support this properly and some applications might display some glitches or not work at all. Consider this a best-effort solution – it might work perfectly for some applications, but you can’t expect it to work in general.

Some background

In my setup I have a regular user account kparal and also a second user account gamer that I use for several purposes:

  • Playing games. I use GNOME Fallback mode, so I get slightly better framerates (I have a very slow graphic card and it really makes a difference).
  • Running unknown and “not so trustworthy” tools and scripts, often downloaded somewhere from the Internet (i.e. not packaged in Fedora). I do not really expect malware in these tools, but more likely serious bugs. I like to know that the unknown script can’t delete my personal data by accident.

But using the second user account is sometimes also inconvenient:

  • If you need to transfer a piece of text (e.g. a hyperlink) from one account to the other, it involves saving it as a file, copying it and fixing permissions. Ugh.
  • If you are inside gamer session, you don’t see any notifications from your kparal‘s IM clients, mail clients, etc. You need to switch forth and back all the time to check your messages and reply.
  • If you are inside gamer session, you can’t easily access some files in your kparal home folder that you would like to, e.g. music. Just to play some background music, you need to fiddle with your data, set up permissions, etc. Boring.

Over the weekend I installed Steam. Obviously I run it under the gamer account. Not just because of performance, but also because my trust in Steam is far from being 100%. It downloads lots of external binaries and executes them. I trust Valve they are careful to not have any security incident (e.g. malware added to some of their game updates), they certainly have some security checks and policies, but how reliable are those? Does Steam executes everything inside some sandbox? I don’t know and honestly, running Steam (and dozens of third-party binaries it executes) in a separate account seems like a reasonable trade-off.

When I tried to buy a game in Steam, I needed to log in to my Moneybookers account. But my financial passwords usually consists of 20 random characters and are safely stored in a password manager in the kparal session. I got very annoyed at this point. The string is too long to remember, I was offended by the idea to write it down (what do we have technology for if I need to use paper?) and I didn’t really want to save it in a plain text file on disk. Call it a whim. So how do I transfer it? Why on earth can’t I just run steam under the gamer account inside my kparal session and copy and paste it? Windows can do it!

Well, it turns out Linux can do this too, more or less, but it needs a few tweaks. After that you can run any application under a different user account inside your desktop session. Let’s see how.

Basic application window

If you log in using su and run a sample graphical application, it should work out of the box:

kparal@kraken ~ $ su - gamer -c gcalctool
Password: 

** (gcalctool:3969): WARNING **: Couldn't register with accessibility bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

** (gcalctool:3969): CRITICAL **: unable to create directory '/run/user/1000/dconf': Permission denied.  dconf will not work properly.
(repeated many times)

There are some accessibility bus warnings, but I haven’t seen any loss of functionality, so I consider them mostly harmless. The dconf errors are arguably a bug and you might lose some functionality because of that – application settings might not be loaded nor saved. If you see these errors, you should unset XDG_RUNTIME_DIR variable first:

kparal@kraken ~ $ su - gamer
Password: 
gamer@kraken ~ $ unset XDG_RUNTIME_DIR
gamer@kraken ~ $ gcalctool

 ** (gcalctool:3969): WARNING **: Couldn't register with accessibility bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

At this point most of your graphical applications should work just fine (the only problem I’ve found is that the global GNOME menu doesn’t work with them). Some of their functionality can be lost however, especially if the application tries to communicate over D-Bus with other processes. According to information I gathered, you might improve the situation in certain cases if you run the application using dbus-launch:

gamer@kraken ~ $ dbus-launch your-application

I haven’t yet seen any application where this would be required, so I can’t provide any more details. Basically if you see any errors regarding D-Bus, you can expect some loss of functionality. But often you might not care, it depends on what you need to achieve with that particular application.

Using sudo instead of su

I like to use sudo instead of su, because it caches your password and it can be even configured for password-less login. However the approach is not so straightforward here and requires more tweaking. Only follow this section if su doesn’t suit your needs.

In the basic workflow, this is what you will see using sudo command:

kparal@kraken ~ $ sudo -i -u gamer gcalctool
No protocol specified

** (gcalctool:5113): WARNING **: Could not open X display
No protocol specified

(gcalctool:5113): Gtk-WARNING **: cannot open display: :0

This is because your X server permissions do not allow anyone else to connect to it (IIUIC):

kparal@kraken ~ $ xhost
access control enabled, only authorized clients can connect
SI:localuser:kparal

If you want to use sudo instead of su, you need to allow gamer to display the window in your session. Like this:

kparal@kraken ~ $ xhost +si:localuser:gamer
localuser:gamer being added to access control list

kparal@kraken ~ $ xhost
access control enabled, only authorized clients can connect
SI:localuser:gamer
SI:localuser:kparal

Now try it again:

kparal@kraken ~ $ sudo -i -u gamer gcalctool

The calculator should appear just fine. The xhost command has to be executed after each session start, so I wanted to add it to ~kparal/.xprofile, but then I found out that Fedora doesn’t source that file. I added it to ~kparal/.profile instead like this:

# allow gamer to display apps on this X server
# (don't do that for local non-X and any remote connections)
if [ -n "$DISPLAY" -a -z "$SSH_CLIENT" ]; then
    xhost +si:localuser:gamer
fi

I now used the command above to run Steam in my session and paste in the Moneybookers login credentials conveniently. Success!

Sound

I quickly found out that sound is not routed for these redirected applications. It’s a pity it doesn’t work out of the box, but fortunately it can be fixed quite easily.

First, install and run paprefs and activate Enable network access to local sound devices. I have no idea which configuration was adjusted, because nothing changed neither in ~/.pulse nor in /etc/pulse. But you can see now the pulseaudio server listening over TCP/IP for network connections. Authorization should be required, so you don’t need to be afraid of eavesdroppers.

Now, try to play some sound:

kparal@kraken ~ $ su - gamer -c paplay /usr/share/sounds/alsa/Front_Center.wav

(or just run Totem/Firefox/etc)

If you are lucky (unlike me), your audio now works out of the box. But if you pulseaudio daemon is restarted for any reason (it crashes or you kill it and start again), the routing no longer works and you need to re-log to your desktop session. Probably a bug. I didn’t know that, so I spent hours reading PulseAudio documentation. It’s not the most thrilling experience.

If that magic routing didn’t work for you, or you need to play audio even after PA is restarted, this is what I involuntarily discovered:

  1. You can copy ~kparal/.pulse-cookie to ~gamer/.pulse-cookie (and re-assign file ownership). That will handle authentication.
  2. Then you can forward audio by sudoing to gamer, exporting PULSE_SERVER=localhost variable and running the app you wish.

(It should be also possible to route the audio using unix sockets (instead of TCP/IP sockets), but the damned documentation is not helpful at all in achieving this task.)

Graphical acceleration

Spot two differences:

kparal@kraken ~ $ glxinfo | grep render
direct rendering: Yes
OpenGL renderer string: Mesa DRI Mobile Intel® GM45 Express Chipset

and

kparal@kraken ~ $ su - gamer -c glxinfo | grep render
Password:
libGL error: failed to load driver: i965
libGL error: Try again with LIBGL_DEBUG=verbose for more details.
direct rendering: Yes
OpenGL renderer string: Gallium 0.4 on llvmpipe (LLVM 0x301)

Yes, your redirected applications don’t have 3D acceleration. Here is a more detailed error message:

kparal@kraken ~ $ su - gamer
Password:
gamer@kraken ~ $ LIBGL_DEBUG=verbose glxinfo | grep render
libGL: OpenDriver: trying /usr/lib64/dri/i965_dri.so
libGL error: failed to open drm device: Permission denied
libGL error: failed to load driver: i965
libGL: OpenDriver: trying /usr/lib64/dri/swrast_dri.so
libGL: Can't open configuration file /home/gamer/.drirc: No such file or directory.
direct rendering: Yes
OpenGL renderer string: Gallium 0.4 on llvmpipe (LLVM 0x301)

I tried to run chromium-bsu and extremetuxracer, both run around 30 FPS using software rendering. Not suitable to gaming at all.

Fortunately I’ve found out the reason. It’s all about access permissions to /dev/dri/card0 file, which represents your graphics card. If you log in using a standard graphical session, some daemon (probably logind) grants you temporary rw access to that file using ACLs:

kparal@kraken ~ $ getfacl /dev/dri/card0 
getfacl: Removing leading '/' from absolute path names
# file: dev/dri/card0
# owner: root
# group: video
user::rw-
user:kparal:rw-
group::rw-
mask::rw-
other::---

But if you log in using su or sudo, you are not given proper permissions. I have found two solutions. The first one is to manually add gamer‘s ACLs after each boot:

kparal@kraken ~ $ sudo setfacl -m user:gamer:rw /dev/dri/card0

This can be added for example to /etc/rc.d/rc.local in order to be executed every boot. The other approach is to add gamer to the video group, which owns the file. In this case you don’t need to execute anything else on each boot, the change is permanent.

Now your 3D applications should work correctly:

kparal@kraken ~ $ su - gamer -c glxinfo | grep render
Password:
direct rendering: Yes
OpenGL renderer string: Mesa DRI Mobile Intel® GM45 Express Chipset

The simple games I tried now run at full speed.

Please note however, that there are slight security concerns when you elevate these permissions for gamer permanently. If the account gets hacked, the attacker can access your graphics card (maybe see your display? I don’t know) or even a camera (just if you used the video group approach, because this group also controls access to the webcam) while being logged in remotely. From this reason the first approach seems a bit safer to me (limits the number of devices) and you should definitely prohibit gamer from any remote access (e.g. disable this account in your ssh server configuration).

Epilogue

That’s it, I can finally display graphical applications (even games) from a different user account inside my desktop session. It took me quite some time to find this all out. It’s highly probable that I did a lot of things the wrong way. Does anybody know of a tool that would handle all this setup transparently and easily? Or does anyone know a working sandbox tool that would fit these use cases? Please share your improvements in the comments. Thanks.

Flattr this

New package in Fedora: sendKindle

sendKindle allows you to easily send documents to your Amazon Kindle device using a command line. You no longer need to open an email client, create a new email, fill in the recipient and a subject, add attachments, hit send, no. You just write sendKindle into your terminal, drag and drop the file, hit Enter. It’s faster 🙂

I already blogged about sendKindle before. It will use your email account (I tested just GMail) to send the file to your Amazon address. (As a bonus, I have a filter defined in GMail which will move these emails from the Sent mail to Trash, because I don’t want all the files to clutter my mailbox, and it works great.)

Recently I finally became a packager (hooray!) and pushed sendKindle as my first package into Fedora. It’s currently in updates-testing, so until it receives some karma or a week passes, you can install it like this:

$ yum install sendKindle --enablerepo=updates-testing

In a week you can use your favorite package manager without any further “complications”, because it will have landed in stable updates for Fedora 17 and 18.

The project lives at github, report all your problems there (except packaging bugs, which go to bugzilla). Be sure to see the README though – if you want new features, you need to provide patches.

Enjoy.

Kerberos authentication in GNOME Online Accounts

goa-panelI have recently found out that GNOME Online Accounts now support Kerberos authentication. I assume this might be interesting for many people who use GNOME in an corporate environment, so I decided to spend a few words about it here.

The setup is as simple as it can get. You just add a new Kerberos account in GNOME Online Accounts and provide a domain name, your user name and a password. Then you see this:

goa-kerberos

Every time you boot your computer now, you will also receive a Kerberos ticket. Awesome!

Unfortunately, the world is not perfect, and neither is GNOME Online Accounts. So there are a few annoying problems:

  1. Your computer has to boot inside the company network. If you connect to the network afterwards, you will not receive the Kerberos ticket.
  2. You can’t use the ON-OFF slider the force a ticket retrieval, because GNOME Online Accounts crashes. So back to kinit in this case.

Let’s hope these problems will be ironed out in GNOME 3.8, currently it’s just a half-baked solution. But it’s definitely better than having nothing at all.

Flattr this

The heroes of Fedora 18 Final testing – Bugzilla

1360095720_PrizeIt took me a while, but finally I have further data regarding Fedora 18 Final testing contributors. Last time I presented a list of people who helped out with QA wiki matrices, this time I have Bugzilla statistics.

The results are pretty interesting. Over 800 people reported bugs between Fedora 18 Beta and Final, creating over 2300 new bugs in total. Those are stunning numbers for a 6-week period including Christmas holidays. A trimmed list of top contributors is below:

Test period: 2012-11-29 – 2013-01-15 (Fedora 18 Beta release – Fedora 18 Final release)
Total number of reporters: 814
Total number of new reports: 2311

Name Total reports submitted1 Excess reports2 Accepted blockers3
Michael Scherer 59 1 (1%) 0
Reartes Guillermo 53 3 (5%) 0
Mikhail 43 5 (11%) 0
Jan Teichmann 34 28 (82%) 0
Kamil Páral 31 2 (6%) 2
Steve Tyler 29 0 (0%) 3
Aleksandar Kostadinov 29 7 (24%) 0
Chris Murphy 25 0 (0%) 7
Gene Czarcinski 25 2 (8%) 0
Adam Williamson 24 0 (0%) 5
Dean Hunter 24 11 (45%) 0
Kay Sievers 22 3 (13%) 0
Michal Schmidt 19 1 (5%) 0
Heiko Adams 18 3 (16%) 0
Max 18 0 (0%) 0
Andre Robatino 17 15 (88%) 0
Florian Weimer 17 1 (5%) 0
Štefan Gurský 17 0 (0%) 0
Niki Guldbrand 16 0 (0%) 0
bob 14 3 (21%) 0
Flóki Pálsson 14 2 (14%) 0
mariolinux at alice.it 14 0 (0%) 0
Braden McDaniel 13 2 (15%) 0
Cole Robinson 12 1 (8%) 0
Brian J. Murrell 11 0 (0%) 0
Mikolaj Izdebski 11 0 (0%) 0
Petr Schindler 10 0 (0%) 1
Bryce 10 2 (20%) 0
Eugene 10 0 (0%) 0
IBM Bug Proxy 10 0 (0%) 0
Sergio 10 1 (10%) 0
Jan Vcelak 9 0 (0%) 1
Tommy He 9 0 (0%) 1
Carlos Soriano 9 1 (11%) 0
Hin-Tak Leung 9 0 (0%) 0
Lingzhu Xiang 9 0 (0%) 0
Michael Schwendt 9 2 (22%) 0
mkruger 9 3 (33%) 0
sheepdestroyer at gmail.com 9 0 (0%) 0
Tim Waugh 9 0 (0%) 0
xset1980 at hotmail.com 9 2 (22%) 0
Matthew Miller 8 1 (12%) 2
abyss.7 at gmail.com 8 1 (12%) 0
Ankur Sinha (FranciscoD) 8 0 (0%) 0
D. Charles Pyle 8 0 (0%) 0
Dan Mashal 8 0 (0%) 0
Jean-François Fortin Tam 8 0 (0%) 0
Leslie Satenstein 8 1 (12%) 0
Luya Tshimbalanga 8 2 (25%) 0
M. Edward (Ed) Borasky 8 0 (0%) 0
Miro Hrončok 8 1 (12%) 0
Munteanu Victor Ion 8 0 (0%) 0
Mustafa 8 1 (12%) 0
pizza306 at gmail.com 8 2 (25%) 0
quickbooks.office at gmail.com 8 0 (0%) 0
Richard W.M. Jones 8 1 (12%) 0
Sigitas 8 0 (0%) 0
skkd.h4k1n9 at yahoo.de 8 0 (0%) 0
Eric Blake 7 0 (0%) 1
Ian Pilcher 7 0 (0%) 1
m-redhat at fuglos.org 7 0 (0%) 1
Robert Lightfoot 7 4 (57%) 1
cornel panceac 7 0 (0%) 0
Erwan Bousse 7 1 (14%) 0
Joachim Backes 7 2 (28%) 0
Mikko Tiihonen 7 0 (0%) 0
Amit Shah 6 2 (33%) 0
Boricua 6 0 (0%) 0
Dave Jones 6 2 (33%) 0
Guillaume AMAT 6 1 (16%) 0
Ivo Sarak 6 0 (0%) 0
Jaroslav Škarvada 6 0 (0%) 0
Jens Petersen 6 0 (0%) 0
Klaus Lichtenwalder 6 0 (0%) 0
Martin Holec 6 1 (16%) 0
Matthias Runge 6 0 (0%) 0
Milan Bouchet-Valat 6 0 (0%) 0
mussadek 6 0 (0%) 0
nero 6 1 (16%) 0
Philipp Dreimann 6 0 (0%) 0
Tapani Björg 6 1 (16%) 0
W. Michael Petullo 6 0 (0%) 0
A.J. Werkman 5 0 (0%) 0
Benjamin Kosnik 5 0 (0%) 0
Brandon 5 1 (20%) 0
Christoph Frieben 5 0 (0%) 0
cookies.river at gmail.com 5 0 (0%) 0
Fabrice Bellet 5 1 (20%) 0
Francesco Frassinelli 5 1 (20%) 0
Gerard Ryan 5 0 (0%) 0
Gustavo Luiz Duarte 5 0 (0%) 0
Jan Sedlák 5 1 (20%) 0
Jared Smith 5 0 (0%) 0
Josh Boyer 5 0 (0%) 0
leigh scott 5 1 (20%) 0
Luke Macken 5 0 (0%) 0
mastaiza 5 0 (0%) 0
Nicholas Nachefski 5 0 (0%) 0
Orion Poplawski 5 2 (40%) 0
Pravin Satpute 5 0 (0%) 0
Ralf Corsepius 5 1 (20%) 0
Rex Dieter 5 1 (20%) 0
Sam Tygier 5 0 (0%) 0
satellit at bendbroadband.com 5 0 (0%) 0
…and also 710 other reporters who created less than 5 reports each, but 1164 reports combined!

1 The total number of new reports (including “excess reports”). Reopened reports or reports with a changed version are not included, because it was not technically easy to retrieve those. This is one of the reasons why you shouldn’t take the numbers too seriously, but just as interesting and fun data.
2 Excess reports are those that were closed as NOTABUG, WONTFIX, WORKSFORME, CANTFIX or INSUFFICIENT_DATA. Excess reports are not necessarily a bad thing, but they make for interesting statistics. Close manual inspection is required to separate valuable excess reports from those which are less valuable.
3 This only includes reports that were created by that particular user and accepted as blockers afterwards. The user might have proposed other people’s reports as blockers, but this is not reflected in this number.

I’m very glad to see that most of the top reporters are in fact not Red Hat employees. That suggests how strong Fedora community is. I’d like to specifically thank these top community contributors, namely Reartes Guillermo, Mikhail, Jan Teichmann, Steve Tyler, Chris Murphy, Gene Czarcinski, Dean Hunter, Heiko Adams, Max, Andre Robatino, Štefan Gurský, Niki Guldbrand and all the others that spent their personal time to help improve Fedora quality.

Of course, kudos also to anyone else who contributed, no matter whether they are mentioned in the matrix above or not. Without you, the bug reporters, we wouldn’t be able to keep Fedora 18 quality up, as it is (hopefully) now. So, thank you!

Recruitment pitch: If you haven’t participated in Fedora 18 release validation, we would love to see you in the Fedora 19 cycle (the test period will start in a month or so) or simply helping out to polish the currently stable Fedora 18 release. Please read QA/Join#Reporting_bugs_in_Fedora_releases, follow the announcements and talk to us in #fedora-qa on IRC and test list.

Thanks everyone!


When reading the statistics, please take it with a grain of salt. The numbers are not directly comparable. People might see some reports as more valuable than others. Some people tested a lot of components, but haven’t found many problems (but that also helps). Some people used their skills in other areas than Bugzilla or wiki matrices. This is not meant to be a comparison chart, but a well-meant “thank you” letter.
The statistics were generated by the stats-bugzilla.py script.