[sudo-users] pam_xauth-type functionality with sudo

Jason Bradley Nance jbnance at tresgeek.net
Fri Oct 19 22:31:19 EDT 2007

Hello everyone,
     I'm attempting to resolve an issue with trusted X forwarding and 
sudo.  The scenario goes like this:

ssh -Y somehost
xclock (exports successfully)
su - someuser
xclock (exports successfully)
sudo su - someuser
xclock (fails)

The failure is due to the lack of the transference of the .Xauth tokens 
(the $DISPLAY variable is still set, but the xauth data is missing). 
When you use su alone to change users, pam_xauth takes care of 
transferring the tokens from the original user to the next, but this 
doesn't seem to work with sudo (various googles seem to say it has to do 
with the way sudo calls pam).

Does anyone have an ideas on how to get around this issue?  The end goal 
is to allow specific users (dbas in the 'dba' group) to ssh to a server, 
change to a specific user ('oracle' - without setting a password for 
that user), and then run exported X apps over their ssh connection 
(without having to manually copy their original .Xauthority around).

Kind of like pam_wheel for su, but not for root.  =)

Ideas are appreciated.


More information about the sudo-users mailing list