How can I run an application with a GUI as admin from a non-admin user session?

Terminology

In this answer:

  • normaluser is a normal user who is not an administrator and cannot run commands as root with sudo.
  • admin is an administrator who can run commands as root with sudo. (Of course, any graphical commands should use a graphical frontend like gksu/gksudo, and not sudo directly.)
  • anyapplication is the name of the graphical application normaluser wants to run as root. normaluser knows admin's password and has (presumably) been told s/he may use it for this purpose.

The Problem

The cause of your problem, and the reason most of the other answers so far don't work (with the exception of Marty Fried's excellent answer), is:

  • gksu can be configured to use either sudo or su as its backend. The default behavior of gksu in Ubuntu is to act as a frontend for sudo, not for su. That is to say that, by default, gksu and gksudo behave exactly the same. See the manpage.
  • normaluser is not an administrator and thus cannot run commands as root with sudo. sudo prompts for the password of the user running it, not the password of the user they want to become. Not being able to use your password to perform actions as people who aren't you is what it means to not be an administrator.
  • normaluser, provided it is not a Guest account, can run commands as another user with su, putting in the other user's password. But gksu acts as a frontend for sudo, not su.
  • normaluser cannot directly run any command as root, because normaluser cannot use sudo, and nobody can become root with su because there is no root password.

The Solution

The solution requires writing a command that performs two authentication steps:

  • normaluser must become admin to run a graphical command. To do this, normaluser must run gksu with the -w flag to make it run in su-mode instead of the default sudo-mode, and the -u flag to run the command as admin instead of root.
  • The command run as admin must invoke gksu without the -w flag to use sudo to become root.

Here's the command (yes, I have tested it ;-)):

gksu -w -u admin gksu anyapplication

You will be prompted for a password twice:

  1. First, you must enter admin's password, to let normaluser run a command as admin with the su backend.
  2. Second, you must enter admin's password, to let admin run a command as root with the sudo backend.

That's right. You enter admin's password twice.

Miscellaneous notes:

  • If you wish, you can replace the second gksu with gksudo to make it less confusing. In Ubuntu, they are equivalent. (You can also replace the first gksu with gksudo, but that would be extremely counterintuitive and confusing.)
  • -w is the short form of --su-mode.
  • -S is the short form of --sudo-mode but neither has to be used because sudo-mode is the default.
  • You may want to test this with some pretty harmless command first, to make sure it does what you want. (It will, but there's no need for you to trust me on that.) For example:
    gksu -w -u admin gksu xclock
    xclock is a nice simple clock-window application.

One way that will probably work is to use "sux" rather than "su" when you first switch to the admin user. sux fixes the problem of running x applications from the spoofed user. It is in the standard repo, and can be installed by entering sudo apt-get install sux at a commandline.

Then, just use "sux" instead of "su" and it should work the way you expect.

Lets reuse the example of the application xclock:

sux admin
gksu xclock

PAM can take care of it

This works for me on Ubuntu 16.04 (edit: it works too on 18.04 LTS):

put the line:

session optional pam_xauth.so

somewhere in:

/etc/pam.d/su

and/or

/etc/pam.d/sudo

and then doing "su -" or "sudo su -" I can use graphical apps as root.

Tags:

Sudo

Su

Gksu