how to run command for specified online normal user with root in freebsd14.2 ?

[fff2024g]

Dear all:
i have two users(gdman , root) in my freebsd14.2 .
1. when normal user gdman login freebsd14.2 with gnome GUI .
2. i have used root ssh remote access this computer. now, i want to use root account run a command "chrome http://bing.com" for gdman user and display it in gdman gnome GUI. how to do that ? thanks.

 

[gpw928]

# become gdman
su - gdman
# get gdman's X authority
auth=$(xauth -f ~gdman/.Xauthority list | tail -1)
# use gdman's established authority
xauth add "$auth"
# set the DISPLAY correct
export DISPLAY=$(echo "$auth" | sed -e 's/.*\(:[0-9]*\) .*/\1/')
# run the X application
chromium http://bing.com

 

[cy@]

This is backwards. One should login as an unprivileged user first, then elevate privilege (using su, sudo, doas, ksu).

 

[astyle]

i have used root ssh remote access this computer.

That's just a bad security practice. The less convenient for root to log into a particular machine and exercise some VERY powerful privileges (up to and including the famous rm -rf /*), the safer the machine will be. If you have to stop and think about the root password for a moment, the chances of quickly and carelessly destroying the system are much smaller.

Normally, on a barebones install, the SSH server is configured to NOT alllow root to log in via SSH.

Why change that [very sensible] default setting? Especially considering that you can just run su AFTER logging in.

Also, if you want to launch Chromium as an unprivileged user, what's the point of logging in as root?

 

[gpw928]

As others have observed, you should not generally login as root nor run GUI applications as root. For that reason, the first thing I did in the solution above was to remove root privilege. If you are already root, and need ongoing root privilege to do other things concurrently, the method shown is safe.

 

[fff2024g]

That's just a bad security practice. The less convenient for root to log into a particular machine and exercise some VERY powerful privileges (up to and including the famous rm -rf /*), the safer the machine will be. If you have to stop and think about the root password for a moment, the chances of quickly and carelessly destroying the system are much smaller.

Normally, on a barebones install, the SSH server is configured to NOT alllow root to log in via SSH.

Why change that [very sensible] default setting? Especially considering that you can just run su AFTER logging in.

Also, if you want to launch Chromium as an unprivileged user, what's the point of logging in as root?

Dear astyle :
below was who login my system.
gdman@notepad:~ $ who
root ttyv0 Feb 19 14:44
gdman ttyv1 Feb 19 14:50
root ttyv2 Feb 19 15:01

question.1
first line the root login system in VT SHELL, when running some app , the system no any response ,can't do anything including input any thing.
second line the gdman login system with gnome GUI. work normal
third line the root login system in VT SHELL, work normal .
how to use /ttyv2 root to kickout /ttyv0 root ?

question.2
how to use /dev/ttyv2 root to run a command "chrome http://bing.com " , and sent this command to gdman gnome GUI desktop.
mean . gdman work norman with gnome GUI. i use root login system from remote , i want to open a web at gdman's face .
thanks.

 

[fff2024g]

# become gdman
su - gdman
# get gdman's X authority
auth=$(xauth -f ~gdman/.Xauthority list | tail -1)
# use gdman's established authority
xauth add "$auth"
# set the DISPLAY correct
export DISPLAY=$(echo "$auth" | sed -e 's/.*\(:[0-9]*\) .*/\1/')
# run the X application
chromium http://bing.com

Dear gpw928:
i am root . so i don't need to su a normal user to do this. thanks.

 

[fff2024g]

As others have observed, you should not generally login as root nor run GUI applications as root. For that reason, the first thing I did in the solution above was to remove root privilege. If you are already root, and need ongoing root privilege to do other things concurrently, the method shown is safe.

Dear gpw928:
gdman@notepad:~ $ who
root ttyv0 Feb 19 14:44
gdman ttyv1 Feb 19 14:50
root ttyv2 Feb 19 15:01

now one workmate gdman login the machine with gnome GUI. i am as root and need to sent a message to gdman, and show it in his gnome GUI desktop. thanks.

 

[gpw928]

Dear gpw928:
i am root . so i don't need to su a normal user to do this. thanks.

You are completely missing the point being made by all respondents above. You don't have to abandon root privilege, but you certainly should.

 

[gpw928]

Dear gpw928:
gdman@notepad:~ $ who
root ttyv0 Feb 19 14:44
gdman ttyv1 Feb 19 14:50
root ttyv2 Feb 19 15:01

now one workmate gdman login the machine with gnome GUI. i am as root and need to sent a message to gdman, and show it in his gnome GUI desktop. thanks.

Please clarify exactly what you want to communicate to user "gdman". e.g. a simple text message?

 

[fff2024g]

Please clarify exactly what you want to communicate to user "gdman". e.g. a simple text message?

Dear gpw928:
thanks for your help.
1. i want to send a message to display in gdman gnome GUI frontground
2. display web content to him.
3. close some apps in gdman using .
thanks. i am english was no good.

 

[hruodr]

Is xauth really necessary for someone using the X server alone on a desctop computer?

 

[freethread]

why not use write(1) or a GUI IM?

 

[astyle]

Dear gpw928:
thanks for your help.
1. i want to send a message to display in gdman gnome GUI frontground
2. display web content to him.
3. close some apps in gdman using .
thanks. i am english was no good.

Why exactly do you want specifically root to log in from the side and show gdman a web page?

It really looks like a parent storming into a 10-year-old kid's room to show the kid some important info - because the kid is in trouble and does not realize even that much.

On the other hand, if you can think of legitimate real-life scenarios that require this sequence of events (like an emergency broadcast), there are better ways to that. Those are more complicated, yes. But using root is a really bad idea for those scenarios. Normally, there's a specialized daemon to pass messages around, but it's a very limited one, and you gotta spend time learning how make use of that special program.

Ever hear of the Principle of Least Privilege?

 

[astyle]

If OP wants to log in from the side as gdman and open up a browser, having root is pointless.

If OP wants to practice 'remote assistance' and close a regular user's apps, a VNC server is a better and safer bet. Having root privileges is still pointless for SSH entry into the system in this scenario. Especially considering that root can just kill the processes anyway, and even reboot the whole system.

 

[gpw928]

Dear gpw928:
thanks for your help.
1. i want to send a message to display in gdman gnome GUI frontground
2. display web content to him.
3. close some apps in gdman using .
thanks. i am english was no good.

Please step back, and ask yourself why you are logged in as root, and whether you really need to be logged in as root.

Answering that question is essential to designing a sound solution.

You will see in my post above, the very first thing I did was remove the root privilege with su - gdman. I didn't have to do that. The code would have worked without it. But one of the cardinal rules of working with Unix is that you never do anything as root unless you have to. It's just too dangerous to be using root privilege when it's not absolutely required.

Sometimes you need to be root. e.g. I need to be root to run the virt-manager GUI on my remote Linux KVM server, because it does things that can only be done by the root user (like access hardware).

But needing to be root to run any GUI application is rare.

So why do you need to be logged in as root to do the thing that you want to do? Specifically why do you think you need that elevated (and dangerous) privilege?

If you don't actually need to be logged in as root, we should see if the original question can be posed in a more sensible way. The change required might be trivial, e.g. login as an ordinary user, and give that user privilege to execute the su - gdman command.

 

[fff2024g]

Dear all:
thanks for your guide . i don't have gdman password , so i can't login with gdman . i just have root password. ok. change my question :
1. three people have a,b,c account .i am root . no one know other's password.
2. a,b,c use the gnome GUI desktop.
3. a want to send message to c gnome GUI desktop. message including (music, picture, web site, movie, IM message)
how to do that ?
thanks.

 

[fff2024g]

Please step back, and ask yourself why you are logged in as root, and whether you really need to be logged in as root.

Answering that question is essential to designing a sound solution.

You will see in my post above, the very first thing I did was remove the root privilege with su - gdman. I didn't have to do that. The code would have worked without it. But one of the cardinal rules of working with Unix is that you never do anything as root unless you have to. It's just too dangerous to be using root privilege when it's not absolutely required.

Sometimes you need to be root. e.g. I need to be root to run the virt-manager GUI on my remote Linux KVM server, because it does things that can only be done by the root user (like access hardware).

But needing to be root to run any GUI application is rare.

So why do you need to be logged in as root to do the thing that you want to do? Specifically why do you think you need that elevated (and dangerous) privilege?

If you don't actually need to be logged in as root, we should see if the original question can be posed in a more sensible way. The change required might be trivial, e.g. login as an ordinary user, and give that user privilege to execute the su - gdman command.

DEar gpw928:
thanks. gdman login the system with gnome GUI desktop . if I got the gdman password, then i ssh login this machine with gdman , run some x windows app to show at him? right ?

 

[astyle]

If it's somebody else's computer, all the more reason to avoid security holes like allowing root to SSH in. Even in enterprise settings, people would not use admin privileges like that.

This is not Windows. UNIX security model is just designed very differently.

My suggestion would be to stop trying to adjust the FreeBSD security settings to imitate the Windows model.

Inelegant as it is, it's far safer to either email the user gdman with a PDF of instructions, or walk up and show how to do the stuff.

If you need to be able to SSH into the machine, start by setting yourself up as user d.
Then add user d to group wheel (that allows you to run su).
Disable root logins for the SSH daemon.
SSH in with your d account.
Then do everything you need.

HTH.

 

[fff2024g]

If it's somebody else's computer, all the more reason to avoid security holes like allowing root to SSH in. Even in enterprise settings, people would not use admin privileges like that.

This is not Windows. UNIX security model is just designed very differently.

My suggestion would be to stop trying to adjust the FreeBSD security settings to imitate the Windows model.

Inelegant as it is, it's far safer to either email the user gdman with a PDF of instructions, or walk up and show how to do the stuff.

If you need to be able to SSH into the machine, start by setting yourself up as user d.
Then add user d to group wheel (that allows you to run su).
Disable root logins for the SSH daemon.
SSH in with your d account.
Then do everything you need.

HTH.

Dear astyle:
thanks. this machine disabled ssh with root directly . i have never change this.
the core of my question was below :
1. can we run xwindows app to gdman gnome GUI desktop through other user ?

thanks for all people guide me : note : i have never use root ssh this machine from remote . don't worry about this .
problem was how to run a xwindows app to normal user gdman gnome GUI desktop with other user whatever is ...thanks.

 

[astyle]

problem was how to run a xwindows app to normal user gdman gnome GUI desktop with other user whatever is ...thanks.

Now that was covered in post # 2 of this thread.

 

[fff2024g]

Now that was covered in post # 2 of this thread.

dear astyle :
thanks for your help , i am new guy about freebsd .
i don't have gdman password. how to do next ? sorry .

 

[ralphbsz]

the core of my question was below :
1. can we run xwindows app to gdman gnome GUI desktop through other user ?

If gdman's GUI desktop is using Windows, have them run the command "xhost +". That disables access control to their display server. At that point, any other user (doesn't have to be root) can set their DISPLAY variable to the display server (typically ":0.0"), and run any Xwindows program, which will display on gdman's display.

 

[Charlie_]

In the past, games/xroach was used to teach x11/xauth to newbies.

 

[astyle]

dear astyle :
thanks for your help , i am new guy about freebsd .
i don't have gdman password. how to do next ? sorry .

Next step is to create a regular user account on that machine for yourself.

Then add that account to the wheel group.

I'm assuming that this is a personal machine/VM, not a work machine/VM.

Your initial post actually states that you have just two users on your new system, gdman and root. So, it's quite logical to assume that you are gdman on the system. And in this case, it's quite baffling that you don't have the password for gdman. If you locked yourself out of a brand-new system, just reinstall it. And while doing the reinstall, add yourself to the wheel group!