View previous topic :: View next topic |
Author |
Message |
krumpf Apprentice
Joined: 15 Jul 2018 Posts: 185
|
Posted: Fri Nov 25, 2022 8:02 am Post subject: doas issue, cannot open display: :0.0 |
|
|
Hi,
Since my last weekly system update, I got an issue with doas, it seems that commands that use a GUI won't start, and complain about inability to open display.
Code: | krumpf@fractal ~ $ doas mousepad text_file
doas (krumpf@fractal) password:
Authorization required, but no authorization protocol specified
(mousepad:5621): Gtk-WARNING **: 08:38:39.533: cannot open display: :0.0
krumpf@fractal ~ $ doas -s
doas (krumpf@fractal) password:
fractal /home/krumpf # mousepad text_file
Authorization required, but no authorization protocol specified
(mousepad:5655): Gtk-WARNING **: 08:39:04.209: cannot open display: :0.0
|
It used to work like a charm, I didn't change any configuration file, making me wonder what the heck is going wrong.
If I use su to get root privileges, launching apps with a GUI gives no trouble.
Destkop is XFCE (no wayland here), drivers are nvidia 515.65.01, if additional infos are needed, let me know. |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3916
|
Posted: Fri Nov 25, 2022 10:35 am Post subject: |
|
|
Hi
Do you have
file?
If not run
Code: |
touch ~/.Xauthority
|
log out and back in. _________________
|
|
Back to top |
|
|
krumpf Apprentice
Joined: 15 Jul 2018 Posts: 185
|
Posted: Fri Nov 25, 2022 11:45 am Post subject: |
|
|
Yes, the .Xauthority file is present in my home folder, its timestamp shows it's been created when X server started.
Code: | -rw------- 1 krumpf krumpf 52 25 nov. 12:32 .Xauthority |
If, in a terminal, I login as root (either through doas or su), the .Xauthority is also present in root's home folder, same timestamp, but it shows a 0 byte size.
Code: | -rw------- 1 root root 0 25 nov. 12:32 .Xauthority |
Edit : I discovered the xauth command and its results are inconsistent according to the way I'm logged into a terminal
As normal user
Code: | krumpf@fractal ~ $ xauth
Using authority file /home/krumpf/.Xauthority |
As root through doas
Code: | fractal /home/krumpf # xauth
Using authority file /root/.Xauthority
|
As root through su
Code: | fractal /home/krumpf # xauth
Using authority file /root/.xauthGogBm1 |
3 different files for Xauthority, is that normal ? Could that be the cause of doas inability to open display :0.0 ? |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Fri Nov 25, 2022 1:39 pm Post subject: |
|
|
I think it's perfectly fine that you cannot run X11 applications after changing users with doas.
It should also not be possible after changing users with su. That's why we have sux.
I'm not an X11 security expert. But it seems that you are/were able to run X11 applications after su or doas, because there's a security flaw on your machine. |
|
Back to top |
|
|
krumpf Apprentice
Joined: 15 Jul 2018 Posts: 185
|
Posted: Fri Nov 25, 2022 4:21 pm Post subject: |
|
|
mike155 wrote: | I think it's perfectly fine that you cannot run X11 applications after changing users with doas.
It should also not be possible after changing users with su. That's why we have sux.
I'm not an X11 security expert. But it seems that you are/were able to run X11 applications after su or doas, because there's a security flaw on your machine. |
Sounds weird to me
For years I've been using sudo mousepad on other distros without any trouble. There are even applications with GUI that actually require root privileges (e.g. gparted), and it never felt like there was a security flaw. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22578
|
Posted: Fri Nov 25, 2022 4:59 pm Post subject: |
|
|
For each of the working and non-working cases, check the value of the environment variables $DISPLAY, $XAUTHORITY. Check that $XAUTHORITY points to a file which is readable by the calling user, and is current. Historically, PAM configuration would pass through some of this state using pam_xauth.so. Perhaps that is no longer enabled for you. |
|
Back to top |
|
|
krumpf Apprentice
Joined: 15 Jul 2018 Posts: 185
|
Posted: Fri Nov 25, 2022 6:32 pm Post subject: |
|
|
As regular user
Code: | krumpf@fractal ~ $ env | grep -E "DISPLAY|XAUTH"
XAUTHORITY=/home/krumpf/.Xauthority
DISPLAY=:0.0
-rw------- 1 krumpf krumpf 52 25 nov. 12:32 /home/krumpf/.Xauthority |
Both env variables exists, and the .Xauthority file got created when X server started during my last boot.
As root through su
Code: | fractal ~ # env | grep -E "DISPLAY|XAUTH"
XAUTHORITY=/root/.xauthhJxC0v
DISPLAY=:0.0
-rw------- 1 root root 52 25 nov. 18:55 /root/.xauthhJxC0v |
Both env variables exists, and the .xauthhJxC0v file got created when I got root privileges, and is destroyed when I quit the 'su' terminal.
As root through doas
Code: | fractal ~ # env | grep -E "DISPLAY|XAUTH"
DISPLAY=:0.0
-rw------- 1 root root 0 Nov 25 12:32 /root/.Xauthority |
Here, $XAUTHORITY env variable doesn't seems to exist despite xauth command says it's using file /root/.Xauthority
and the /root/.Xauthority file feels weird: it's 0 byte, and its timestamp matches the X server starts.
Starting to think it could be a doas bug, I'll reinstall sudo and give it a try. |
|
Back to top |
|
|
krumpf Apprentice
Joined: 15 Jul 2018 Posts: 185
|
Posted: Fri Nov 25, 2022 6:46 pm Post subject: |
|
|
Been reinstalling sudo, and it works, I can "sudo mousepad" and mousepad will launch.
So I guess it's a doas bug (or some incompatibility with pam), could anyone confirm ? |
|
Back to top |
|
|
irets Apprentice
Joined: 17 Dec 2019 Posts: 228
|
Posted: Fri Nov 25, 2022 6:54 pm Post subject: |
|
|
Seems to be broken on my system too.
Code: | irets@navi ~ $ doas thunar
doas (irets@navi) password:
thunar: Failed to initialize Xfconf: Error spawning command line ?dbus-launch --autolaunch=8a768050c21c613b74502b3b602e71fe --binary-syntax --close-stderr?: Child process exited with code 1
Authorization required, but no authorization protocol specified
(thunar:5635): Gtk-WARNING **: 20:53:40.100: cannot open display: :0
|
|
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22578
|
Posted: Fri Nov 25, 2022 8:21 pm Post subject: |
|
|
xauth defaults to $HOME/.Xauthority if $XAUTHORITY is unset.
Do you have the pam configuration for doas set to use the pam_xauth.so module? |
|
Back to top |
|
|
krumpf Apprentice
Joined: 15 Jul 2018 Posts: 185
|
Posted: Fri Nov 25, 2022 8:57 pm Post subject: |
|
|
The doas package provides a pam config file /etc/pam.d/doas
Code: | krumpf@fractal ~ $ cat /etc/pam.d/doas
#%PAM-1.0
auth include system-auth
account include system-auth
session include system-auth |
but, should it be the reason for my issue, I got no idea about how to fix it. |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3916
|
Posted: Fri Nov 25, 2022 10:29 pm Post subject: |
|
|
Try adding
Code: |
session optional pam_xauth.so
|
in doas pam file.
Do you get same error with sudo also?
This clause only appears in su and runuser pam files. _________________
|
|
Back to top |
|
|
krumpf Apprentice
Joined: 15 Jul 2018 Posts: 185
|
Posted: Fri Nov 25, 2022 10:58 pm Post subject: |
|
|
@alamahant
Added the line to the doas pam file, rebooted and... nope, it didn't change anything.
No errors with sudo.
Now, maybe I could try changing the "include" in doas pam file to "substack" (aka just copy/paste the sudo pam file),
as I understand it, both doas & sudo invoke the system-auth pam file
but right now, I'm starting to yawn, and in my experience it's usually not the best time to tweak system files, so I'll try tomorrow. |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3916
|
Posted: Fri Nov 25, 2022 11:19 pm Post subject: |
|
|
Try this
Code: |
sudo rm /root/.xauth*
su -
mv /root/.xauthhxxxxx /root/.Xauthority
exit
doas mousepad .....
OR
su -
rm ~/.Xauthority
touch ~/.Xauthority
xauth generate :0 . trusted
xauth add ${HOSTNAME}:0 . $(xxd -l 16 -p /dev/urandom)
|
Or even better fully log as root from your DM. _________________
|
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22578
|
Posted: Sat Nov 26, 2022 2:02 am Post subject: |
|
|
Running a graphical session as root is strongly discouraged, since almost no programs should need it. Similarly, rather than renaming the random xauth file, set $XAUTHORITY to point to the file you wish to use. |
|
Back to top |
|
|
krumpf Apprentice
Joined: 15 Jul 2018 Posts: 185
|
Posted: Sat Nov 26, 2022 11:55 am Post subject: |
|
|
So I tried replacing the doas pam file content with sudo one, and it didn't work.
Guess I'll use sudo for now, until I manage to understand the pam file syntax. |
|
Back to top |
|
|
sMueggli Guru
Joined: 03 Sep 2022 Posts: 481
|
Posted: Sat Nov 26, 2022 2:33 pm Post subject: |
|
|
If you use "sudo" you do not need to run the graphical editor with elevated privileges.
You can set the environment variable
and edit a file with Code: | sudoedit /etc/fstab # as an example |
The editor will then run with normal user privileges. |
|
Back to top |
|
|
ianisdo n00b
Joined: 16 Jan 2021 Posts: 18 Location: Chisinau, Moldova Republic of
|
Posted: Thu Apr 11, 2024 8:51 am Post subject: |
|
|
bump, Im having the same issue |
|
Back to top |
|
|
|