How to run graphical applications with su or sudo
In this blogpost I’ll describe how to run graphical applications under a different user account in your current desktop session (i.e. without fast user switching). It involves some fiddling with the system configuration, this is not intended for general users without advanced system knowledge. The instructions are created for Fedora 18.
Everything mentioned here was discovered through a trial-and-error approach, I don’t have any expertise in this area. Some of the advice might not be fully correct. I have talked to a few qualified people and I was told that Linux doesn’t support this properly and some applications might display some glitches or not work at all. Consider this a best-effort solution – it might work perfectly for some applications, but you can’t expect it to work in general.
In my setup I have a regular user account kparal and also a second user account gamer that I use for several purposes:
- Playing games. I use GNOME Fallback mode, so I get slightly better framerates (I have a very slow graphic card and it really makes a difference).
- Running unknown and “not so trustworthy” tools and scripts, often downloaded somewhere from the Internet (i.e. not packaged in Fedora). I do not really expect malware in these tools, but more likely serious bugs. I like to know that the unknown script can’t delete my personal data by accident.
But using the second user account is sometimes also inconvenient:
- If you need to transfer a piece of text (e.g. a hyperlink) from one account to the other, it involves saving it as a file, copying it and fixing permissions. Ugh.
- If you are inside gamer session, you don’t see any notifications from your kparal‘s IM clients, mail clients, etc. You need to switch forth and back all the time to check your messages and reply.
- If you are inside gamer session, you can’t easily access some files in your kparal home folder that you would like to, e.g. music. Just to play some background music, you need to fiddle with your data, set up permissions, etc. Boring.
Over the weekend I installed Steam. Obviously I run it under the gamer account. Not just because of performance, but also because my trust in Steam is far from being 100%. It downloads lots of external binaries and executes them. I trust Valve they are careful to not have any security incident (e.g. malware added to some of their game updates), they certainly have some security checks and policies, but how reliable are those? Does Steam executes everything inside some sandbox? I don’t know and honestly, running Steam (and dozens of third-party binaries it executes) in a separate account seems like a reasonable trade-off.
When I tried to buy a game in Steam, I needed to log in to my Moneybookers account. But my financial passwords usually consists of 20 random characters and are safely stored in a password manager in the kparal session. I got very annoyed at this point. The string is too long to remember, I was offended by the idea to write it down (what do we have technology for if I need to use paper?) and I didn’t really want to save it in a plain text file on disk. Call it a whim. So how do I transfer it? Why on earth can’t I just run steam under the gamer account inside my kparal session and copy and paste it? Windows can do it!
Well, it turns out Linux can do this too, more or less, but it needs a few tweaks. After that you can run any application under a different user account inside your desktop session. Let’s see how.
Basic application window
If you log in using su and run a sample graphical application, it should work out of the box:
kparal@kraken ~ $ su - gamer -c gcalctool Password: ** (gcalctool:3969): WARNING **: Couldn't register with accessibility bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. ** (gcalctool:3969): CRITICAL **: unable to create directory '/run/user/1000/dconf': Permission denied. dconf will not work properly. (repeated many times)
There are some accessibility bus warnings, but I haven’t seen any loss of functionality, so I consider them mostly harmless. The dconf errors are arguably a bug and you might lose some functionality because of that – application settings might not be loaded nor saved. If you see these errors, you should unset XDG_RUNTIME_DIR variable first:
kparal@kraken ~ $ su - gamer Password: gamer@kraken ~ $ unset XDG_RUNTIME_DIR gamer@kraken ~ $ gcalctool ** (gcalctool:3969): WARNING **: Couldn't register with accessibility bus: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
At this point most of your graphical applications should work just fine (the only problem I’ve found is that the global GNOME menu doesn’t work with them). Some of their functionality can be lost however, especially if the application tries to communicate over D-Bus with other processes. According to information I gathered, you might improve the situation in certain cases if you run the application using dbus-launch:
gamer@kraken ~ $ dbus-launch your-application
I haven’t yet seen any application where this would be required, so I can’t provide any more details. Basically if you see any errors regarding D-Bus, you can expect some loss of functionality. But often you might not care, it depends on what you need to achieve with that particular application.
Using sudo instead of su
I like to use sudo instead of su, because it caches your password and it can be even configured for password-less login. However the approach is not so straightforward here and requires more tweaking. Only follow this section if su doesn’t suit your needs.
In the basic workflow, this is what you will see using sudo command:
kparal@kraken ~ $ sudo -i -u gamer gcalctool No protocol specified ** (gcalctool:5113): WARNING **: Could not open X display No protocol specified (gcalctool:5113): Gtk-WARNING **: cannot open display: :0
This is because your X server permissions do not allow anyone else to connect to it (IIUIC):
kparal@kraken ~ $ xhost access control enabled, only authorized clients can connect SI:localuser:kparal
If you want to use sudo instead of su, you need to allow gamer to display the window in your session. Like this:
kparal@kraken ~ $ xhost +si:localuser:gamer localuser:gamer being added to access control list kparal@kraken ~ $ xhost access control enabled, only authorized clients can connect SI:localuser:gamer SI:localuser:kparal
Now try it again:
kparal@kraken ~ $ sudo -i -u gamer gcalctool
The calculator should appear just fine. The xhost command has to be executed after each session start, so I wanted to add it to ~kparal/.xprofile, but then I found out that Fedora doesn’t source that file. I added it to ~kparal/.profile instead like this:
# allow gamer to display apps on this X server # (don't do that for local non-X and any remote connections) if [ -n "$DISPLAY" -a -z "$SSH_CLIENT" ]; then xhost +si:localuser:gamer fi
I now used the command above to run Steam in my session and paste in the Moneybookers login credentials conveniently. Success!
I quickly found out that sound is not routed for these redirected applications. It’s a pity it doesn’t work out of the box, but fortunately it can be fixed quite easily.
First, install and run paprefs and activate Enable network access to local sound devices. I have no idea which configuration was adjusted, because nothing changed neither in ~/.pulse nor in /etc/pulse. But you can see now the pulseaudio server listening over TCP/IP for network connections. Authorization should be required, so you don’t need to be afraid of eavesdroppers.
Now, try to play some sound:
kparal@kraken ~ $ su - gamer -c paplay /usr/share/sounds/alsa/Front_Center.wav
(or just run Totem/Firefox/etc)
If you are lucky (unlike me), your audio now works out of the box. But if you pulseaudio daemon is restarted for any reason (it crashes or you kill it and start again), the routing no longer works and you need to re-log to your desktop session. Probably a bug. I didn’t know that, so I spent hours reading PulseAudio documentation. It’s not the most thrilling experience.
If that magic routing didn’t work for you, or you need to play audio even after PA is restarted, this is what I involuntarily discovered:
- You can copy ~kparal/.pulse-cookie to ~gamer/.pulse-cookie (and re-assign file ownership). That will handle authentication.
- Then you can forward audio by sudoing to gamer, exporting PULSE_SERVER=localhost variable and running the app you wish.
(It should be also possible to route the audio using unix sockets (instead of TCP/IP sockets), but the damned documentation is not helpful at all in achieving this task.)
Spot two differences:
kparal@kraken ~ $ glxinfo | grep render direct rendering: Yes OpenGL renderer string: Mesa DRI Mobile Intel® GM45 Express Chipset
kparal@kraken ~ $ su - gamer -c glxinfo | grep render Password: libGL error: failed to load driver: i965 libGL error: Try again with LIBGL_DEBUG=verbose for more details. direct rendering: Yes OpenGL renderer string: Gallium 0.4 on llvmpipe (LLVM 0x301)
Yes, your redirected applications don’t have 3D acceleration. Here is a more detailed error message:
kparal@kraken ~ $ su - gamer Password: gamer@kraken ~ $ LIBGL_DEBUG=verbose glxinfo | grep render libGL: OpenDriver: trying /usr/lib64/dri/i965_dri.so libGL error: failed to open drm device: Permission denied libGL error: failed to load driver: i965 libGL: OpenDriver: trying /usr/lib64/dri/swrast_dri.so libGL: Can't open configuration file /home/gamer/.drirc: No such file or directory. direct rendering: Yes OpenGL renderer string: Gallium 0.4 on llvmpipe (LLVM 0x301)
Fortunately I’ve found out the reason. It’s all about access permissions to /dev/dri/card0 file, which represents your graphics card. If you log in using a standard graphical session, some daemon (probably logind) grants you temporary rw access to that file using ACLs:
kparal@kraken ~ $ getfacl /dev/dri/card0 getfacl: Removing leading '/' from absolute path names # file: dev/dri/card0 # owner: root # group: video user::rw- user:kparal:rw- group::rw- mask::rw- other::---
But if you log in using su or sudo, you are not given proper permissions. I have found two solutions. The first one is to manually add gamer‘s ACLs after each boot:
kparal@kraken ~ $ sudo setfacl -m user:gamer:rw /dev/dri/card0
This can be added for example to /etc/rc.d/rc.local in order to be executed every boot. The other approach is to add gamer to the video group, which owns the file. In this case you don’t need to execute anything else on each boot, the change is permanent.
Now your 3D applications should work correctly:
kparal@kraken ~ $ su - gamer -c glxinfo | grep render Password: direct rendering: Yes OpenGL renderer string: Mesa DRI Mobile Intel® GM45 Express Chipset
The simple games I tried now run at full speed.
Please note however, that there are slight security concerns when you elevate these permissions for gamer permanently. If the account gets hacked, the attacker can access your graphics card (maybe see your display? I don’t know) or even a camera (just if you used the video group approach, because this group also controls access to the webcam) while being logged in remotely. From this reason the first approach seems a bit safer to me (limits the number of devices) and you should definitely prohibit gamer from any remote access (e.g. disable this account in your ssh server configuration).
That’s it, I can finally display graphical applications (even games) from a different user account inside my desktop session. It took me quite some time to find this all out. It’s highly probable that I did a lot of things the wrong way. Does anybody know of a tool that would handle all this setup transparently and easily? Or does anyone know a working sandbox tool that would fit these use cases? Please share your improvements in the comments. Thanks.