How can I run an application with a GUI as admin from a non-admin user session?
Terminology
In this answer:
normaluser
is a normal user who is not an administrator and cannot run commands asroot
withsudo
.admin
is an administrator who can run commands asroot
withsudo
. (Of course, any graphical commands should use a graphical frontend likegksu
/gksudo
, and notsudo
directly.)anyapplication
is the name of the graphical applicationnormaluser
wants to run asroot
.normaluser
knowsadmin
's password and has (presumably) been told s/he may use it for this purpose.
The Problem
The cause of your problem, and the reason most of the other answers so far don't work (with the exception of Marty Fried's excellent answer), is:
gksu
can be configured to use eithersudo
orsu
as its backend. The default behavior ofgksu
in Ubuntu is to act as a frontend forsudo
, not forsu
. That is to say that, by default,gksu
andgksudo
behave exactly the same. See the manpage.normaluser
is not an administrator and thus cannot run commands asroot
withsudo
.sudo
prompts for the password of the user running it, not the password of the user they want to become. Not being able to use your password to perform actions as people who aren't you is what it means to not be an administrator.normaluser
, provided it is not a Guest account, can run commands as another user withsu
, putting in the other user's password. Butgksu
acts as a frontend forsudo
, notsu
.normaluser
cannot directly run any command asroot
, becausenormaluser
cannot usesudo
, and nobody can becomeroot
withsu
because there is noroot
password.
The Solution
The solution requires writing a command that performs two authentication steps:
normaluser
must becomeadmin
to run a graphical command. To do this,normaluser
must rungksu
with the-w
flag to make it run in su-mode instead of the default sudo-mode, and the-u
flag to run the command asadmin
instead ofroot
.- The command run as
admin
must invokegksu
without the-w
flag to usesudo
to becomeroot
.
Here's the command (yes, I have tested it ;-)):
gksu -w -u admin gksu anyapplication
You will be prompted for a password twice:
- First, you must enter
admin
's password, to letnormaluser
run a command asadmin
with thesu
backend. - Second, you must enter
admin
's password, to letadmin
run a command asroot
with thesudo
backend.
That's right. You enter admin
's password twice.
Miscellaneous notes:
- If you wish, you can replace the second
gksu
withgksudo
to make it less confusing. In Ubuntu, they are equivalent. (You can also replace the firstgksu
withgksudo
, but that would be extremely counterintuitive and confusing.) -w
is the short form of--su-mode
.-S
is the short form of--sudo-mode
but neither has to be used because sudo-mode is the default.- You may want to test this with some pretty harmless command first, to make sure it does what you want. (It will, but there's no need for you to trust me on that.) For example:
gksu -w -u admin gksu xclock
xclock
is a nice simple clock-window application.
One way that will probably work is to use "sux" rather than "su" when you first switch to the admin user. sux fixes the problem of running x applications from the spoofed user. It is in the standard repo, and can be installed by entering sudo apt-get install sux
at a commandline.
Then, just use "sux" instead of "su" and it should work the way you expect.
Lets reuse the example of the application xclock
:
sux admin
gksu xclock
PAM can take care of it
This works for me on Ubuntu 16.04 (edit: it works too on 18.04 LTS):
put the line:
session optional pam_xauth.so
somewhere in:
/etc/pam.d/su
and/or
/etc/pam.d/sudo
and then doing "su -" or "sudo su -" I can use graphical apps as root.