Re: X won't allow display export...
Aaron Traas, What about DISPLAY=:0.0? Aaron Traas ([EMAIL PROTECTED]) said thusly on [31/07/01 at 16:25]: > > and the following on the box I was trying to export the display from: > > export DISPLAY=10.1.1.33:0.0 > The radical invents the views. When he has worn them out, the conservative adopts them. Notebooks
Re: X won't allow display export...
"Robert L. Harris" <[EMAIL PROTECTED]> writes: > Make sure the option "-nolisten tcp" has been removed. Or if you don't trust the network, tunnel the connection via ssh.
Re: AW: X won't allow display export...
> * start xterm (or any X-shell) on the client box > * xhost + ^^^ this is overkill if you're going to use ssh; > * ssh -X -l user server_name the -X forwards X packets so there's no need to turn off X security with xhost. -- Andrew J Perrin - [EMAIL PROTECTED] - http://www.unc.edu/~aperrin Assistant Professor of Sociology, U of North Carolina, Chapel Hill 269 Hamilton Hall, CB#3210, Chapel Hill, NC 27599-3210 USA On Tue, 31 Jul 2001, Schoppitsch Dieter wrote: > I do it this way: > * start xterm (or any X-shell) on the client box > * xhost + > * ssh -X -l user server_name > * type xterm > and you are in your server. > > Dieter > > > > > I am unable to successfully export the display from one of my Debian > > boxen to another. I tried the following on the box I was using X on: > > > > xhost + > > > > and the following on the box I was trying to export the display from: > > > > export DISPLAY=10.1.1.33:0.0 > > > > Normally, this has worked under other distros and Unices (I have a > > Mandrake box and two SPARC's running Solaris 8 here), but I can't get it > > to work under Debian. Is there some package I've forgotten to install?? > > > > --Aaron Traas > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
AW: X won't allow display export...
I do it this way: * start xterm (or any X-shell) on the client box * xhost + * ssh -X -l user server_name * type xterm and you are in your server. Dieter > I am unable to successfully export the display from one of my Debian > boxen to another. I tried the following on the box I was using X on: > > xhost + > > and the following on the box I was trying to export the display from: > > export DISPLAY=10.1.1.33:0.0 > > Normally, this has worked under other distros and Unices (I have a > Mandrake box and two SPARC's running Solaris 8 here), but I can't get it > to work under Debian. Is there some package I've forgotten to install?? > > --Aaron Traas > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: X won't allow display export...
Go to the machine you're trying to push X to (the one where you did xhost +) and cd to /etc/X11/xinit and vi "xserverrc" I believe. Make sure the option "-nolisten tcp" has been removed. If not, remove those 2 words and restart X. I wish it could be done without restarting X but I don't know how. Security feature. Thus spake Aaron Traas ([EMAIL PROTECTED]): > I am unable to successfully export the display from one of my Debian > boxen to another. I tried the following on the box I was using X on: > > xhost + > > and the following on the box I was trying to export the display from: > > export DISPLAY=10.1.1.33:0.0 > > Normally, this has worked under other distros and Unices (I have a > Mandrake box and two SPARC's running Solaris 8 here), but I can't get it > to work under Debian. Is there some package I've forgotten to install?? > > --Aaron Traas > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] :wq! --- Robert L. Harris| Micros~1 : Senior System Engineer |For when quality, reliability at RnD Consulting | and security just aren't \_ that important! DISCLAIMER: These are MY OPINIONS ALONE. I speak for no-one else. FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
X won't allow display export...
I am unable to successfully export the display from one of my Debian boxen to another. I tried the following on the box I was using X on: xhost + and the following on the box I was trying to export the display from: export DISPLAY=10.1.1.33:0.0 Normally, this has worked under other distros and Unices (I have a Mandrake box and two SPARC's running Solaris 8 here), but I can't get it to work under Debian. Is there some package I've forgotten to install?? --Aaron Traas
Re: display export??
> Simply execute 'xhost +localhost' before doing a su. the use of xhost to do this is grequentlyh considered a security risk by folks who understand such things (But I'm not one of them, so don't ask me to explain why :) There's (at least) two secure ways to do things. One is to, as the logged in user, type xauth list $DISPLAY and receive something back like hawkins/unix:0 MIT-MAGIC-COOKIE-1 89978798dea097090890907890 then, in your root window, type xauth add $DISPLAY MIT-MAGIC-COOKIE-1 89978798dea097090890907890 (use the mouse to cut and paste; you're not likely to type that many hex digits correctly) another way is to use ssh, which tunnels X. I have the alias alias rw "nice xterm -bg pink -fg black -geom 80x25-5+200 -T [EMAIL PROTECTED] -e "ssh localhost -lroot " & to launch the terminal, label it, paint it pink as a warning, and begin the ssh session. hawk
RE: display export??
Title: RE: display export?? Hi, the whole point seems to be that your X is configured by default to use a security mechanism called MIT-MAGIC-COOKIE . BTW, sounds like a good idea, much better than the "xhost" mechanism which is fairly unsecure. Basically, it works like that: 1. when you launch your X server it computes a "cookie" (long hex stream) to authenticate your session 2. whenever a program tries to connect to your X server, it has to send the appropriate cookie first to be able to connect, otherwise the connection will be refused. The cookie is stored in the ~/.Xsession file , which explains why linking/copying .Xsession files from one home dir to another works. This "hack" is indeed a bad idea, from a security point of view. You would not like to give all your credit card numbers to someone else if all he needs is one of them, would you? Because your .Xsession contains the cookie for _all_ your X connections, even on remote machines! Thus the right way to do what you want seems to me to follow this path: 1. run 'xauth list' : this will display all your current X cookies (btw, there is no mechanism to assure they are still valid: every time you restart a X server it regenerates a new one) 2. su to the user you want to (root for example) 3. set your environment variable DISPLAY to point to your target X server. In the case where you connect locally, it is true that using Unix sockets will be more efficient, so set you DISPLAY to "my.local.machine/unix:0" and not to "my.local.machine:0" . 4. run 'xauth add $DISPLAY . the_token_you_grabbed_at_first_step ' Note the "." . It is a shortcut for the magic word "MIT-MAGIC-COOKIE-1" and saves your keyboard types! 5. run whatever X program you want, it will connect to your X server seemlessly. Last thing: if you really want to live in an unsecure but no-brainer-friendly environment, you would issue an "xhost +" before doing su, which allows every machine and every user on earth to connect to your X server without authentication. Which is easier if you work on a stand-alone machine without connection to any network. But again, this is _bad_ habits. HTH Thierry -Original Message- From: John Bagdanoff [mailto:[EMAIL PROTECTED]] Sent: Friday, July 14, 2000 11:14 AM To: Debian User List Subject: Re: display export?? On Thu, Jul 13, 2000 at 08:52:22PM -0400, Noah L. Meyerhans wrote: > -BEGIN PGP SIGNED MESSAGE- > > On Fri, 14 Jul 2000, Ragga Muffin wrote: > > > > do I need to export DISPLAY localhost? Im not sure of the syntax...am I on the right track? > > > > Yes and no. What yuo need to do is temporarily permit x-connections from > > your localhost if you want to start an x program with a different > > user than the current session (in this case root) > > > > Simply execute 'xhost +localhost' before doing a su. > > I think that doing xhost local:root is better. There are 2 reasons for > this: > 1. You're specifying a user name, which gives added security if you've > got a multi-user system. > > 2. You're specifying a local connection, not a connection that uses a > network interface. The X server connections with use Unix sockets, not > TCP sockets. This gives you less overhead since you don't have to send > all your data through a TCP stack. > The solution I found awhile ago was to link /root/.Xauthority to /home//.Xauthority John > noah > > ___ > | Web: http://web.morgul.net/~frodo/ > | PGP Public Key: http://web.morgul.net/~frodo/mail.html > > -BEGIN PGP SIGNATURE- > Version: PGPfreeware 5.0i for non-commercial use > Charset: noconv > > iQCVAwUBOW5kTIdCcpBjGWoFAQGFjAP/V/dalkL6GK7O8Mwbgd//3GpLQLU7e5GG > wPl9hHIZm8tjx1FOHlxtnpxHw8RREof1ttubhR1n2Rvs8UVXfHpqIf0V5nQf2FGA > viuMT6NUtFfi2fcvq9607vc2nPPR8yqwe5aMFhVV3fj13PpIYRqxz0nnuH7NoU+F > 3AN2DeTRBDo= > =MEnf > -END PGP SIGNATURE- > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null > -- Using Linux -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
Re: display export??
On Thu, Jul 13, 2000 at 08:52:22PM -0400, Noah L. Meyerhans wrote: > -BEGIN PGP SIGNED MESSAGE- > > On Fri, 14 Jul 2000, Ragga Muffin wrote: > > > > do I need to export DISPLAY localhost? Im not sure of the syntax...am I > > > on the right track? > > > > Yes and no. What yuo need to do is temporarily permit x-connections from > > your localhost if you want to start an x program with a different > > user than the current session (in this case root) > > > > Simply execute 'xhost +localhost' before doing a su. > > I think that doing xhost local:root is better. There are 2 reasons for > this: > 1. You're specifying a user name, which gives added security if you've > got a multi-user system. > > 2. You're specifying a local connection, not a connection that uses a > network interface. The X server connections with use Unix sockets, not > TCP sockets. This gives you less overhead since you don't have to send > all your data through a TCP stack. > The solution I found awhile ago was to link /root/.Xauthority to /home//.Xauthority John > noah > > ___ > | Web: http://web.morgul.net/~frodo/ > | PGP Public Key: http://web.morgul.net/~frodo/mail.html > > -BEGIN PGP SIGNATURE- > Version: PGPfreeware 5.0i for non-commercial use > Charset: noconv > > iQCVAwUBOW5kTIdCcpBjGWoFAQGFjAP/V/dalkL6GK7O8Mwbgd//3GpLQLU7e5GG > wPl9hHIZm8tjx1FOHlxtnpxHw8RREof1ttubhR1n2Rvs8UVXfHpqIf0V5nQf2FGA > viuMT6NUtFfi2fcvq9607vc2nPPR8yqwe5aMFhVV3fj13PpIYRqxz0nnuH7NoU+F > 3AN2DeTRBDo= > =MEnf > -END PGP SIGNATURE- > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null > -- Using Linux
Re: display export??
-BEGIN PGP SIGNED MESSAGE- On Fri, 14 Jul 2000, Ragga Muffin wrote: > > do I need to export DISPLAY localhost? Im not sure of the syntax...am I on > > the right track? > > Yes and no. What yuo need to do is temporarily permit x-connections from > your localhost if you want to start an x program with a different > user than the current session (in this case root) > > Simply execute 'xhost +localhost' before doing a su. I think that doing xhost local:root is better. There are 2 reasons for this: 1. You're specifying a user name, which gives added security if you've got a multi-user system. 2. You're specifying a local connection, not a connection that uses a network interface. The X server connections with use Unix sockets, not TCP sockets. This gives you less overhead since you don't have to send all your data through a TCP stack. noah ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOW5kTIdCcpBjGWoFAQGFjAP/V/dalkL6GK7O8Mwbgd//3GpLQLU7e5GG wPl9hHIZm8tjx1FOHlxtnpxHw8RREof1ttubhR1n2Rvs8UVXfHpqIf0V5nQf2FGA viuMT6NUtFfi2fcvq9607vc2nPPR8yqwe5aMFhVV3fj13PpIYRqxz0nnuH7NoU+F 3AN2DeTRBDo= =MEnf -END PGP SIGNATURE-
Re: display export??
"Ethan Pierce" <[EMAIL PROTECTED]> wrote: > Im new to debian so Im not familiar with all the display settings. When I > used mandrake, there were certain programs that needed to be run as root - > like linuxconf/mtv/xcdroast etcall I needed to do was su and run them. > Now in debian when I try such a move, i get a "cant set display" not > authorized > > do I need to export DISPLAY localhost? Im not sure of the syntax...am I on > the right track? Yes and no. What yuo need to do is temporarily permit x-connections from your localhost if you want to start an x program with a different user than the current session (in this case root) Simply execute 'xhost +localhost' before doing a su. HTH -- Ragga
Re: display export??
-BEGIN PGP SIGNED MESSAGE- On Thu, 13 Jul 2000, Bolan Meek wrote: > I'm not understanding how to > directly change this, but an easy work-around is to CTL-ALT-F2...F3, > log in as root, and startx -- :1. This starts a new display. > > Then, you can flip between them with CTL-ALT-F7 ... CTL-ALT-F8. There's a much easier workaround for this: Give root permission to access the display (i.e. the X Server). There are many issues with allowing any kind of access to the X server, and you don't want to do it unnecessarily. But in this case, since everybody (your user and the root login via su) it's probably safe. As the user who owns the X session, run 'xhost local:root' Then as the root user (in the shell where you'll be running commands as root), run 'export DISPLAY=:0' to tell X clients run within that shell what display to access. HTH. noah ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOW4nHodCcpBjGWoFAQGtawQAgMuiiXPKGc88BnGhkJ4fcZwVMgbdGWCe enXp1bekaKKl4cvV+DUihdJ0E+SuozpgR+Bo3gGYa0NTG3okvEAYVB34Obo3TTYC S52XQsLv9gUaT3UpOyhM/6EdPlM66r4QxhRTHC0wHHsZDVd6OnQOLP7WHi0B2bMc DGBg1vEfC+M= =qV/t -END PGP SIGNATURE-
Re: display export??
> Ethan Pierce wrote: > > Im new to debian so Im not familiar with all the display settings. > When I used mandrake, there were certain programs that needed to be > run as root - like linuxconf/mtv/xcdroast etcall I needed to do > was su and run them. Now in debian when I try such a move, i get a > "cant set display" not authorized > > do I need to export DISPLAY localhost? Im not sure of the syntax...am > I on the right track? The problem is that the xserver session belongs to you as a user, and it doesn't want anyone else, including root, to be executing clients on the same platform. I'm not understanding how to directly change this, but an easy work-around is to CTL-ALT-F2...F3, log in as root, and startx -- :1. This starts a new display. Then, you can flip between them with CTL-ALT-F7 ... CTL-ALT-F8. -- [EMAIL PROTECTED] 972-729-5387 [EMAIL PROTECTED] (home phone on request) http://www.koyote.com/users/bolan RE: xmailtool http://www.koyote.com/users/bolan/xmailtool/index.html I am the "ILOVEGNU" signature virus. Just copy me to your signature. This email was infected under the terms of the GNU General Public License.
display export??
Im new to debian so Im not familiar with all the display settings. When I used mandrake, there were certain programs that needed to be run as root - like linuxconf/mtv/xcdroast etcall I needed to do was su and run them. Now in debian when I try such a move, i get a "cant set display" not authorized do I need to export DISPLAY localhost? Im not sure of the syntax...am I on the right track?