Why can't I run GUI apps from 'root': "No protocol specified"?
Accessing the X server requires two things:
- The
$DISPLAY
variable pointing to the correct display (usually:0
) - Proper authentication information
The authentication information can be explicitly specified via $XAUTHORITY
, and defaults to ~/.Xauthority
otherwise.
If $DISPLAY
and $XAUTHORITY
is set for your user, sudo
will set them for the new shell, too, and everything should work fine.
If they are not set, they will probably default to the wrong values and you cannot start and X applications.
In Debian $XAUTHORITY
is usually not set explicitly. Just add
export XAUTHORITY=~/.Xauthority
to your .bashrc
or explicitly say XAUTHORITY=~/.Xauthority sudo ...
and everything should work.
You can also use xauth list
to check whether proper authentication information are available.
I had the same question as you but for a normal user. Let's say I want to start firefox using the user account foo. I'm logged in as bar:
[bar@localhost ~]$ sudo -u foo -H firefox
Sadly that command failed with the same error as in the question (i.e. no protocol specified & cannot open display)
My solution was to simply add the user foo to the list of authorised access to the X server.
xhost si:localuser:foo
And that was it, I was then able to launch Firefox (and other X application) using sudo
and the user foo.
Background: On X Window, there is a client/server architecture. When you launch an application you request the X server authorisation to display it. By default once you open a session (you graphically login), you (your user) are obviously allowed to commmunicate with the server and display applications. Other users do not have this permission unless you specify it. xhost
is a tool to manipulate the list of permissions. The si
indicates that the rule is server side and it authorise the local user foo
to display applications. X Window is very powerful in this regard and you can display remote applications locally by playing with the DISPLAY
environment variable and xhost
(but not limited to them). In older times, when people typed xhost +
and implicitely allowed everyone to use their X session, it was possible to display application on their screen for pranks ;-) not so much nowadays as people are less and less using X Window client/server architecture (at least for what I observe in the past 10 yers).
PS: I did this in order to launch Firefox in a kind of "jail" (to avoid a vulnerability like for pdf.js in the future). But I quickly found out that calling Firefox via sudo won't allow it to access audio nor the video hardware. But there is one guy which explain clearly how to activate video hardware acceleration and audio when calling Firefox via sudo. YMMV with these instructions, e.g. I still have a permission denied with audio but video is fine (tested on Fedora 22 with SELinux ON).
You can either
Specify the display to be used on the command line, by adding -display :0.0
or
Set up the environment variable in root's login script (one of .bashrc, .profile, .bash_profile ...).
export DISPLAY=:0.0
You can check whether it's set,
$ env |grep DISPLAY
DISPLAY=:0.0
To open up your display for all users from all hosts as your normal user you can do this with :
xhost +
Edit: Thanks and credit to @Toby Speight for his comment below for the more targeted suggestion, instead of opening it up for anybody.
xhost +si:localuser:root