[sudo-users] pam_xauth-type functionality with sudo
Jason Bradley Nance
jbnance at tresgeek.net
Fri Oct 19 22:31:19 EDT 2007
Hello everyone,
I'm attempting to resolve an issue with trusted X forwarding and
sudo. The scenario goes like this:
ssh -Y somehost
xclock (exports successfully)
su - someuser
xclock (exports successfully)
sudo su - someuser
xclock (fails)
The failure is due to the lack of the transference of the .Xauth tokens
(the $DISPLAY variable is still set, but the xauth data is missing).
When you use su alone to change users, pam_xauth takes care of
transferring the tokens from the original user to the next, but this
doesn't seem to work with sudo (various googles seem to say it has to do
with the way sudo calls pam).
Does anyone have an ideas on how to get around this issue? The end goal
is to allow specific users (dbas in the 'dba' group) to ssh to a server,
change to a specific user ('oracle' - without setting a password for
that user), and then run exported X apps over their ssh connection
(without having to manually copy their original .Xauthority around).
Kind of like pam_wheel for su, but not for root. =)
Ideas are appreciated.
j
More information about the sudo-users
mailing list