sudo with problems

William Hooper whooper@freeshell.org
Thu Apr 24 19:24:00 2003 

Sent back to the list so it can be archived...

Uwe Dippel said:
> --- William Hooper <whooper@freeshell.org> wrote:
>
>> Ah-ha!  I think you might be interesting in this bugzilla entry:
>>
>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=65590
>
> Read it. But I'm in anything but Xwindows.

VNC is Xwindows.  The issue is the fact that su (and sudo) doesn't play
nice with xauth.

>> The only thing I can think of that makes my situation (that works)
>> different than the case they present is that I run at init 3 (text
>> login)
>> and not init 5 (GUI login).  I will see if I can reproduce this error
>> by
>> changing to init 5, but that will have to wait until I get home from
>> work.
>
> Which is what I wrote: runlevel 3 is without any trouble. Since - sorry
> for my lack of knowledge here - locking is to reserve resources, there
> is no need to eventually do so with no local X up ?
> Just a guess,
>
> Uwe

I think you are focusing on the wrong part of the error.  It is basically
saying that xauth can't create the files it needs (because the user
doesn't have permission to /root).

I hypothize that the reason init 3 works is because at that point you
don't have any XAUTHORITY environment set.  Because of this line in
/usr/bin/vncserver:

$xauthorityFile = "$ENV{XAUTHORITY}" || "$ENV{HOME}/.Xauthority";

It gets set to ~/.Xauthority correctly.  If the XAUTHORITY is defined it
tries to use that (and fails).

Basically it boils down to being an issue in your test environment because
you are doing the "sudo" line after having XAUTHORITY set.  The script
that is run on boot (/etc/init.d/vncserver) doesn't have this issue
because XAUTHORITY hasn't been set yet.

Try forcing maybe try forcing $xauthorityFile in the script to be
"$ENV{HOME}/.Xauthority" by changing the line to:

$xauthorityFile = "$ENV{HOME}/.Xauthority";

If that doesn't work, I think you have three choices: a) use one of the
workarounds mentioned in the bugzilla entry; b) remove the xauth stuff
from the /usr/bin/vncserver script (as earlier suggested); or c) somewhere
put a "xauth +hostname" (which only gives you the xauth security from
other machines, not local users).

-- 
William Hooper