firefox as separate account can't open display - Mandriva

This is a discussion on firefox as separate account can't open display - Mandriva ; Sombody in this newsgroup has said several times that he has a separate user account from which he does all his web browsing. Do I remember correctly that Bit Twister is that person? I'm trying to do that, but I ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: firefox as separate account can't open display

  1. firefox as separate account can't open display

    Sombody in this newsgroup has said several times that he has
    a separate user account from which he does all his web
    browsing. Do I remember correctly that Bit Twister is that
    person?

    I'm trying to do that, but I have run into a problem. I
    have my sudoers file set up to allow running the "firefox"
    command as the second user. However, I get a message that
    Firefox cannot connect to the X server. There is also a
    message that no protocol has been specified. I can run a
    shell as the second user and start X clients, but running a
    single command evidently takes some incantation I haven't
    yet found?

    What's the secret?

    Thanks.

    --
    Robert Riches
    spamtrap42@verizon.net
    (Yes, that is one of my email addresses.)

  2. Re: firefox as separate account can't open display

    On Sun, 13 Jan 2008 05:51:50 GMT, Robert M. Riches Jr. wrote:
    > Sombody in this newsgroup has said several times that he has
    > a separate user account from which he does all his web
    > browsing. Do I remember correctly that Bit Twister is that
    > person?


    That would be the person.


    > I'm trying to do that, but I have run into a problem. I
    > have my sudoers file set up to allow running the "firefox"
    > command as the second user.


    No need to be playing in usdoers file.

    > However, I get a message that Firefox cannot connect to the X server.


    In my ~browser/.bash_profile, I have


    if [ -z "$SSH_CLIENT" ] ; then
    export DISPLAY=:0.0
    fi


    > What's the secret?


    Fist thing to try is doing a ssh firefox_account@$(hostname)

    and see if you get logged into the firefox account and if you can get
    firefox to run.

    I have a script to jump to a desktop, and if user is not running
    kick off an xterm to do the ssh firelfox login.

    Not part of your problem, but you may want to add your firefox account
    to the audio group. If you password less login to the firefox account
    via ssh, you can set a null password.


    $ cat xbrowser
    #************************************************* ***********
    #*
    #* log into another node as browser
    #*
    #************************************************* ***********

    _user=browser
    _target=$(hostname --fqdn)
    _app=firefox
    _browsing_desktop=2


    dcop kwin default setCurrentDesktop $_browsing_desktop > /dev/null

    sleep 1

    pgrep -U $_user $_app
    if [ $? -eq 0 ] ; then
    exit 0
    fi

    _cmd="ssh $_user@$_target"

    echo -e "\033]2;$(hostname --fqdn): $_user \007"

    xterm -title $_user -display $DISPLAY -geom 30x3+439+439 \
    -e $_cmd \
    &

    #****************** end xbrowser *************************

  3. Re: firefox as separate account can't open display

    On 2008-01-13, Bit Twister wrote:
    > On Sun, 13 Jan 2008 05:51:50 GMT, Robert M. Riches Jr. wrote:
    >> Sombody in this newsgroup has said several times that he has
    >> a separate user account from which he does all his web
    >> browsing. Do I remember correctly that Bit Twister is that
    >> person?

    >
    > That would be the person.


    Good. Thanks.

    >> I'm trying to do that, but I have run into a problem. I
    >> have my sudoers file set up to allow running the "firefox"
    >> command as the second user.

    >
    > No need to be playing in usdoers file.
    >
    >> However, I get a message that Firefox cannot connect to the X server.

    >
    > In my ~browser/.bash_profile, I have
    >
    >
    > if [ -z "$SSH_CLIENT" ] ; then
    > export DISPLAY=:0.0
    > fi
    >
    >
    >> What's the secret?

    >
    > Fist thing to try is doing a ssh firefox_account@$(hostname)
    >
    > and see if you get logged into the firefox account and if you can get
    > firefox to run.
    >
    > I have a script to jump to a desktop, and if user is not running
    > kick off an xterm to do the ssh firelfox login.
    >
    > Not part of your problem, but you may want to add your firefox account
    > to the audio group. If you password less login to the firefox account
    > via ssh, you can set a null password.


    Ah, yes. I need to add the firefox account to the audio
    group and a few other groups.

    > $ cat xbrowser
    > #************************************************* ***********
    > #*
    > #* log into another node as browser
    > #*
    > #************************************************* ***********
    >
    > ...


    That script uses a very different approach. That script
    uses ssh. Using ssh to run X clients is a relatively easy
    thing to do, but it is my understanding that ssh introduces
    significant encryption CPU burden and multiple process
    switch latencies to tunnel the X stuff through ssh.

    I'm trying to use sudo and/or su without ssh to avoid the
    CPU burden and latency the ssh tunnel would involve. For
    example,

    su -l --command="xclock -digital" otheraccount

    will run the xclock client from account 'otheraccount', but
    (of course) requires a password. I want to use sudo to get
    rid of the password entry, but I have yet to decipher the
    man page sufficiently to find the incantation to do that.
    So far, it appears 'su' handles the necessary xauth stuff,
    but 'sudo' with a RunAs clause does not.

    Any other suggestions that don't involve ssh?

    Thanks.

    --
    Robert Riches
    spamtrap42@verizon.net
    (Yes, that is one of my email addresses.)

  4. Re: firefox as separate account can't open display

    On Mon, 14 Jan 2008 19:29:22 GMT, Robert M. Riches Jr. wrote:
    >
    > Ah, yes. I need to add the firefox account to the audio
    > group and a few other groups.


    Hmm, what other groups if I might ask?

    > That script uses a very different approach. That script
    > uses ssh. Using ssh to run X clients is a relatively easy
    > thing to do, but it is my understanding that ssh introduces
    > significant encryption CPU burden and multiple process
    > switch latencies to tunnel the X stuff through ssh.


    I have not noticed that "significant encryption CPU burden and
    multiple process switch latencies"


    > will run the xclock client from account 'otheraccount', but
    > (of course) requires a password. I want to use sudo to get
    > rid of the password entry,


    Yes, I set it up so ssh does not prompt for password for access.

    > Any other suggestions that don't involve ssh?


    That was reason for the script, on 2006.0, you could use rlogin with a
    ..rhosts file.

    On 2007.0 and greater, rlogin require a kerbose server to use rlogin.

  5. Re: firefox as separate account can't open display

    On 2008-01-14, Bit Twister wrote:
    > On Mon, 14 Jan 2008 19:29:22 GMT, Robert M. Riches Jr. wrote:
    >>
    >> Ah, yes. I need to add the firefox account to the audio
    >> group and a few other groups.

    >
    > Hmm, what other groups if I might ask?


    Now that you mention it, maybe I don't need to add them to
    any others. I had been thinking floppy, cdrom, usb, and
    maybe video. On second thought, the firefox account
    shouldn't need those. The other other account I'm setting
    up, for playing with Eclipse (to keep its mess out of my
    main account), will likely need at least some of them,
    though.

    >> That script uses a very different approach. That script
    >> uses ssh. Using ssh to run X clients is a relatively easy
    >> thing to do, but it is my understanding that ssh introduces
    >> significant encryption CPU burden and multiple process
    >> switch latencies to tunnel the X stuff through ssh.

    >
    > I have not noticed that "significant encryption CPU burden and
    > multiple process switch latencies"


    That's good. If I can't get anything outside ssh to work,
    that will be good news.

    >> will run the xclock client from account 'otheraccount', but
    >> (of course) requires a password. I want to use sudo to get
    >> rid of the password entry,

    >
    > Yes, I set it up so ssh does not prompt for password for access.
    >
    >> Any other suggestions that don't involve ssh?

    >
    > That was reason for the script, on 2006.0, you could use rlogin with a
    > .rhosts file.
    >
    > On 2007.0 and greater, rlogin require a kerbose server to use rlogin.


    I wouldn't think you would find setting a kerberos server
    very difficult.

    --
    Robert Riches
    spamtrap42@verizon.net
    (Yes, that is one of my email addresses.)

  6. [Solved] Re: firefox as separate account can't open display

    Thanks for some ideas, Bit Twister, and perhaps others who
    responded about setting up Firefox to run under another user
    account. I think I have it working.

    I had used tar to copy over my .mozilla to the new account.
    The only extra work I found I needed was to reinstall
    flashblock (for some reason, it had quit working), tweak the
    default locale for the firefox account, and (as Bit Twister
    pointed out) add the firefox account to the audio group.

    In case it might help someone else, the big issue I had was
    the command lines to sudo and su. It looks like su sets up
    the XAUTHORITY stuff that sudo with a RunAs alias did not.
    Here's what I put in sudoers, ROBOTHERUSERS and
    ROBOTHERHOSTS being my main account name and the hostnames I
    use:

    Cmnd_Alias ROBSU2CMD = /bin/su -l rob2 , /bin/su -l rob2 -c *
    ROBOTHERUSERS ROBOTHERHOSTS = NOPASSWD: ROBSU2CMD

    Then, in my script that calls Firefox, I use the form

    sudo /bin/su -l rob2 -c "firefox $arg"

    --
    Robert Riches
    spamtrap42@verizon.net
    (Yes, that is one of my email addresses.)

  7. Re: firefox as separate account can't open display

    On Sun, 13 Jan 2008 05:51:50 GMT, Robert M. Riches Jr. wrote:
    > Sombody in this newsgroup has said several times that he has
    > a separate user account from which he does all his web
    > browsing. Do I remember correctly that Bit Twister is that
    > person?


    Something else to consider is a clean install.

    I use my accounts across other distributions and releases.
    At one time first Mandrake assigned UID/GID was 500, then 501 on
    another release. Some distributions start at 1000.

    What I have done is start my accounts at 1500. Now on clean installs I
    create an account, junk, su to root, and append my accounts to the
    bottom of /etc/passwd,shadow,group,gshadow using cat. Example:

    cat /rst/local/config/group_1500 >> /etc/group
    cat /rst/local/config/gshadow_1500 >> /etc/gshadow
    cat /rst/local/config/passwd_1500 >> /etc/passwd
    cat /rst/local/config/shadow_1500 >> /etc/shadow

    /rst is wherever the restore media/iso is mounted.

    Here is the script to extract the 15xx accounts.

    #!/bin/bash
    #************************************************* *****************
    #*
    #* save_1500 - Saves 15?? uid/gid into /etc/*_1500
    #*
    #* saves 15?? uid/gid /etc/passwd,group,gshadow,shadow to /etc/*_1500
    #*
    #* To append/restore results after a clean install
    #* cat /etc/group_1500 >> /etc/group
    #* cat /etc/gshadow_1500 >> /etc/gshadow
    #* cat /etc/passwd_1500 >> /etc/passwd
    #* cat /etc/shadow_1500 >> /etc/shadow
    #*
    #************************************************* *****************
    typeset -i i=o

    _ifs_bkup="${IFS}"

    function ld_ary
    {
    #**********************************************
    #*
    #* ld_ary - load array[] with first name from
    #* each line from /etc/arg1_1500
    #*
    #* End of array[] contains --
    #*
    #**********************************************

    _ary_fn=/etc/${1}_1500

    IFS=":"
    i=0

    while read line ; do
    set -- $line
    array[$i]=$1
    i=$(( $i + 1 ))
    done < $_ary_fn

    array[$i]="--"

    IFS="${_ifs_bkup}"

    } # end ld_ary

    function gen_1500
    {
    #**********************************************
    #*
    #* gen_1500 - generate /etc/arg1_1500.
    #*
    #* reads /etc/arg1 file and any lines starting with
    #* a name found in array[] are written to
    #* /etc/arg1_1500 with the supplied arg2 perm.
    #*
    #**********************************************

    _in_fn=/etc/$1
    _out_fn=/etc/${1}_1500

    /bin/cp /dev/null $_out_fn
    chmod $2 $_out_fn

    while read line ; do
    _parse=$line
    IFS=":"
    set -- $_parse
    IFS="${_ifs_bkup}"
    i=0
    while [ "${array[$i]}" != "--" ] ; do
    if [ "${array[$i]}" = "$1" ] ; then
    echo $line >> $_out_fn
    break
    fi
    i=$(( $i + 1 ))
    done

    done < $_in_fn

    IFS="${_ifs_bkup}"

    } # end gen_1500

    #***********************************
    #*
    #* Main code start here
    #*
    #***********************************

    grep ':15' /etc/group | grep -v ':15:' | sort -n -t ':' --key=3 > /etc/group_1500
    grep ':15' /etc/passwd | grep -v ':15:' | sort -n -t ':' --key=3 > /etc/passwd_1500

    ld_ary group
    gen_1500 gshadow 600

    ld_ary passwd
    gen_1500 shadow 600

    #**************** end save_1500 **********************************

  8. Re: firefox as separate account can't open display

    On 2008-01-18, Bit Twister wrote:
    > On Sun, 13 Jan 2008 05:51:50 GMT, Robert M. Riches Jr. wrote:
    >> Sombody in this newsgroup has said several times that he has
    >> a separate user account from which he does all his web
    >> browsing. Do I remember correctly that Bit Twister is that
    >> person?

    >
    > Something else to consider is a clean install.
    >
    > I use my accounts across other distributions and releases.
    > At one time first Mandrake assigned UID/GID was 500, then 501 on
    > another release. Some distributions start at 1000.
    >
    > What I have done is start my accounts at 1500. Now on clean installs I
    > create an account, junk, su to root, and append my accounts to the
    > bottom of /etc/passwd,shadow,group,gshadow using cat. Example:
    >
    > cat /rst/local/config/group_1500 >> /etc/group
    > cat /rst/local/config/gshadow_1500 >> /etc/gshadow
    > cat /rst/local/config/passwd_1500 >> /etc/passwd
    > cat /rst/local/config/shadow_1500 >> /etc/shadow
    >
    > /rst is wherever the restore media/iso is mounted.
    >
    > Here is the script to extract the 15xx accounts.
    >
    > ...


    Clean installations are definitely the way to go. I also do
    something similar (but a little less fancy) to put real user
    accounts into each new installation.

    --
    Robert Riches
    spamtrap42@verizon.net
    (Yes, that is one of my email addresses.)

+ Reply to Thread