05-20-2012 04:43 AM
I was trying to install oracle on my HP-UX 11.31 machine, the "root" can open Xclock but "Oracle" user cannot open Xclock, display setting is correct.
$ export DISPLAY=10.144.110.139:0.0
$ echo $DISPLAY
Error: Can't open display: 10.144.110.139:0.0
10.144.110.139 is my machine's IP, where I have started Xmanager.
I opened Xterminal from Xmanager, the root's session can start xclock
access control disabled, clients can connect from any host
# echo $DISPLAY
10.241.16.135 is the IP of the server, and this session can open Xclock but Oracle user's session cannot open xclock
Thanks in Advance.
Solved! Go to Solution.
05-20-2012 04:14 PM - edited 05-20-2012 04:16 PM
> # echo $DISPLAY
> 10.241.16.135 is the IP of the server, and this session can open Xclock
Looks like SSH X forwarding is in effect: the $DISPLAY on the remote host is pointing to a X forwarding proxy initiated by sshd, by request of the SSH client. The two-digit display number (11 here) is the clue.
The network might be firewalled so that SSH connections from your workstation to TCP port 22 on the server are allowed, but "raw" X11 connections from the server back to TCP port 6000 of your workstation (for DISPLAY 0.0) are being dropped. If that's true, the only way to get a X11 connection is through SSH X forwarding.
(That's enforcement of a good security policy, by the way: "raw" X11 is definitely not secure enough by modern standards. It's way too easy to monitor or even manipulate a raw X11 session.)
The easiest way around the problem would probably be to just make the SSH connection as the user you ultimately want to be. If you want to run an X11 application as user "oracle", make the SSH connection as "oracle" with the X forwarding enabled, and SSH will automatically handle everything for you.
From your problem description, you're logging in as root and then using "su - oracle" or similar to transition to another user account. Am I correct?
If that's true, and you need/want to keep doing that, you will need to transfer two things from the root user to the oracle user. You must do this again in each new login session, since these things will be generated dynamically for each session:
- the value of the $DISPLAY variable, exactly as the root user has it on the current session. No changing the IP address, no adding ":0.0" at the end. Just make sure the Oracle user gets it exactly as it is.
- the ~/.Xauthority file in the root's home directory, or more precisely, the "magic cookie" in it that acts as a X connection key. When the SSH connection was established by the root user, sshd set it up for you - but if you use su or similar commands to switch to another user, you must make the key accessible to the target user.
You don't have to copy root's .Xauthority file to oracle's home directory, although you can do it that way too if you want. If you have the .Xauthority file in some other location, you can use the XAUTHORITY environment variable to tell the X11 applications where it is.
# echo $DISPLAY 10.241.16.135:11.0 # cp $HOME/.Xauthority /var/tmp/root.Xauthority # chown oracle /var/tmp/root.Xauthority # su - oracle [... standard login messages ...] $ export DISPLAY=10.241.16.135:11.0 $ export XAUTHORITY=/var/tmp/root.Xauthority $ xclock
From your second post:
> $ echo $DISPLAY
That is not correct $DISPLAY syntax. This is not going to work.