5

I want to start a second X server from within an already running X session.

Until debian 8 I can edit /etc/X11/Xwrapper.config and change line allowed_users=console to allowed_users=anybody. This allows me as an unprivileged user to run X from within X. X is a setuid wrapper for Xorg.

Things changed in debian 9, X is no longer a setuid wrapper, instead privileges needed by X are ruled by systemd. The file /etc/X11/Xwrapper.config does not exist anymore.

It is possible to restore legacy behaviour with package xserver-xorg-legacy. Then /etc/X11/Xwrapper.config has to contain the lines

allowed_users=anybody
needs_root_rights=yes

Another possibility is to switch to one of tty1...tty6 and to run X with xinit xterm -- :1 vt1 while vt1...vt6 must comply to tty1...tty6. (tty8...tty12 / vt8...vt12 are not available anymore.)

I want to avoid using legacy settings and to avoid switching to console. I want back the possiblity of xinit xterm -- :1 vt8.

How can I setup systemd to allow unprivileged users to start a second X server from within an already running X?

Improve this question
1
  • I'm not sure this is relevant to your query; have you looked into Xephyr with different permissions? en.m.wikipedia.org/wiki/Xephyr Commented Jul 26, 2017 at 12:42

1 Answer 1

Reset to default
4

I recommend not using xinit, because it is vulnerable. Use startx instead. xinit appears to be written to accept X connections from any user ID, without warning or documentation. startx appears to fix this. I do not know why this situation is tolerated, or how it happened in the first place.

As root:

systemd-run --property PAMName=login \
            --property User=my-user \
            --property StandardInput=tty \
            --property TTYPath=/dev/tty8 \
            sh -c 'chvt 8 && startx /usr/bin/xterm -- :1'

The magic is in defining PAMName=, to open a PAM session, and associating that session with the specific TTY. This gets pam_systemd to do what you want. I spoofed login - though technically you're supposed to define a new PAM "service name" in case it needs some special treatment.

So you can write a script which performs the desired command. Then grant access to run that script as root, using sudo.

If you use SELinux, you'll have to fight that as well.

Improve this answer
1
  • Thanks for your comment here. I tried your method and it works great! Here's the script I wrote. I'm not sure which of the many duplicates of this question should be closed though Commented Dec 9, 2019 at 13:17

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.