Sux

Here's a short description of sux's features, mostly taken from an email I sent to the debian-devel mailing list (see the thread). I should probably transform this into a man page one day... (unless some kind soul does it for me, hint, hint).

• 'sux user' and 'sux - user' behave just like su but transfer $DISPLAY and the X cookies.
• You can specify a command on the command line, even if it contains spaces. This is likely to be buggy (double-quotes...) but should be enough to let you type things like: sux - xterm -title "Root's XTerm"
• You can generate untrusted / temporary cookies for that user using '--untrusted' and/or '--timeout xxx' (see xauth generate)
• If you symlink suxterm to sux, then 'suxterm - foo' will create a new xterm for user foo (more precisely a new x-terminal-emulator with a fallback on xterm for non Debian systems). This makes '--timeout' more usable: the cookie will remain valid as long as this xterm is open. So you could type 'suxterm --timeout 20 - foo' and the cookie will expire 20 seconds after the xterm has been closed (if no other X application uses it). Note that it also means you have 20 seconds to type your password. Also it's equivalent to 'sux --timeout 20 - foo xterm', but the script could be modified to have a timeout by default... (Inspired by Daniel Martin).
• You can use the su '--preserve-environment' option. In that case sux will override XAUTHORITY to the so that xauth does not try to use the original user's .Xauthority file (which it obviously could not do anyway due to access rights).
• sux should work even for those using csh. But I'm not using it myself so I could not check. Let me know if there's a problem.
• you can choose how to transfer the X credentials:
  • --no-cookies
    Just transfer DISPLAY, not the cookies. You could do this if you have already transferred the cookies in a previous invocation of sux.
  • --copy-cookies
    Copy the cookies using xauth. This is the default method (and only method most of the time).
  • --use-xauthority
    Instead of transferring the cookies, set the XAUTHORITY environment variable to access the original .Xauthority file. There's a couple caveats with this method. First, due to the access right issues it's only usable by root. But even then it may not work if the .Xauthority file is accessed via NFS, e.g. if the home directories are on NFS (note that this is quite dangerous already since your cookies will travel unencrypted over the network). Then, if root runs commands like xauth add/remove, the .Xauthority's ownership will belong to him. This will leave the original user in trouble as he will no longer be able to access X! So only use this option with great care. Finally, this method does not work if you also want to use '--untrusted' or '--timeout'.
  I set the default to '--copy-cookies' for all cases, but you can easily change the default for root by changing the sux_root_cookie_transfer variable at the top of the file.
• There's also a '--display' to specify which display to transfer in case you have access to more than one...