Why can't I run GUI apps from 'root': "No protocol specified"?

Accessing the X server requires two things:

  • The $DISPLAY variable pointing to the correct display (usually :0)
  • Proper authentication information

The authentication information can be explicitly specified via $XAUTHORITY, and defaults to ~/.Xauthority otherwise.

If $DISPLAY and $XAUTHORITY is set for your user, sudo will set them for the new shell, too, and everything should work fine.

If they are not set, they will probably default to the wrong values and you cannot start and X applications.

In Debian $XAUTHORITY is usually not set explicitly. Just add

export XAUTHORITY=~/.Xauthority

to your .bashrc or explicitly say XAUTHORITY=~/.Xauthority sudo ... and everything should work.

You can also use xauth list to check whether proper authentication information are available.


I had the same question as you but for a normal user. Let's say I want to start firefox using the user account foo. I'm logged in as bar:

[bar@localhost ~]$ sudo -u foo -H firefox

Sadly that command failed with the same error as in the question (i.e. no protocol specified & cannot open display)

My solution was to simply add the user foo to the list of authorised access to the X server.

xhost si:localuser:foo

And that was it, I was then able to launch Firefox (and other X application) using sudo and the user foo.

Background: On X Window, there is a client/server architecture. When you launch an application you request the X server authorisation to display it. By default once you open a session (you graphically login), you (your user) are obviously allowed to commmunicate with the server and display applications. Other users do not have this permission unless you specify it. xhost is a tool to manipulate the list of permissions. The si indicates that the rule is server side and it authorise the local user foo to display applications. X Window is very powerful in this regard and you can display remote applications locally by playing with the DISPLAY environment variable and xhost (but not limited to them). In older times, when people typed xhost + and implicitely allowed everyone to use their X session, it was possible to display application on their screen for pranks ;-) not so much nowadays as people are less and less using X Window client/server architecture (at least for what I observe in the past 10 yers).

PS: I did this in order to launch Firefox in a kind of "jail" (to avoid a vulnerability like for pdf.js in the future). But I quickly found out that calling Firefox via sudo won't allow it to access audio nor the video hardware. But there is one guy which explain clearly how to activate video hardware acceleration and audio when calling Firefox via sudo. YMMV with these instructions, e.g. I still have a permission denied with audio but video is fine (tested on Fedora 22 with SELinux ON).


You can either

Specify the display to be used on the command line, by adding -display :0.0

or

Set up the environment variable in root's login script (one of .bashrc, .profile, .bash_profile ...).

export DISPLAY=:0.0

You can check whether it's set,

$ env |grep DISPLAY
DISPLAY=:0.0

To open up your display for all users from all hosts as your normal user you can do this with :

xhost +

Edit: Thanks and credit to @Toby Speight for his comment below for the more targeted suggestion, instead of opening it up for anybody.

xhost +si:localuser:root

Tags:

X11

Kde

Debian

Gui