GUI Capsule for root

Share your wisdom. Not for support questions!

Moderator: How-to Curator

GUI Capsule for root

Postby polaris96 » May 6th, 2014, 4:50 pm

How to create a root GUI VM “capsule” in X11

1. 06MAY14. I wrote this thing at work and realize it's a bit spares. Just fleshing out the "WHAT IT DOES" section.

Create a virtual X11 session with a spartan WM(awesome) for root inside an existing session of your normal DE. The child VM looks like a normal window (except you can't resize it). It's actually
a completely different session that rents some screen space on your Desktop. This is nice because you secure root access and stillreap the benefits of a GUI.

There are many ways to do this. For instance, Don't allow the display manager to access the root DE app (awesome (see below)). Allow only Sudoers access to teh wrapper script... you get the idea.

I'm CLI. Born in AT&T UNIX. Comfy and proud to enjoy the glow of green or amber phosphor. Smug in my ability to speak CLI in many different languages, can use a serial terminal without grinding the gears...

But, dammit, sooner or later $EVERYBODY wants to get GUI – just for a quick fix, etc...

Beware the, “I can create an EZ-peezy root desktop so I can use my debian system just like windows xp... “ siren song. You could do that but I guarantee you'll wind up tanking the system eventually.

If you're new to the *NIX environment, please (PLEASE) learn to use the console. The act of learning will make you a much better administrator. Walk for miles. Don't run yet.

“so grasshopper, why is this good?”
“because I say so, Master...”

You have reached the point of understanding how hard you can tank a machine as root. You're tired of writing FOREACH loops to do stuff the would be a snap to P/C. You've gotten carpal tunnel from retyping sudo and gksu to use a file manager or editor.
You're also wary enough of security and “best practices” to not be comfortable allowing root logins to your normal DE.

Surprisingly easy.
1. Install a nested Xsession manager. The two I know of are xnest and xephyr. I have used both and much prefer xephyr

Code: Select all
~#aptitude install xephyr

2. Download a minimalist window manager. These are legion. I like awesome for these reasons:
A. Very well documented.
B. Highly(awesomely, pardon the pun) configurable. Could even be used as a Floating WM if you wanted.
C. A bit tricky to learn. (Seriously, LUA? What's wrong with these people?). I want to keep the $WRONG people away from this project.

Code: Select all
read $WRONG << EOF 
It's for your own good.  If you're able to tiptoe down the yellow brick road, here, you should be aware enough to not tank your system (I hope).  If all this is gibberish, go study then come back by \
all means.

...No the comment above isn't part of the tutorial....

Code: Select all
~#aptitude install awesome

You can't nest sessions in many of the common DE.s The environment variables get confused. This is fixable and I'm not telling how, here. It's MUCH safer to use a Separate DE for the root capsule. Remember the key point is “capsule” - it's own little world like a pretty snowglobe on your desktop.

3. Install sudo if you don't already have it

Code: Select all
~#aptitude install sudo

You should know how to set up sudo...
I'm not a 'butnut guy, but sudo really does have its place. This is a way, again, to abstract the root password.

4. Open your favorite Editor and write the script:

Code: Select all
#Open a root session in awesome

Xephyr -ac -br -noreset -screen 800x600 :1.0 &
sleep 1
DISPLAY=:1.0 xfce4-terminal -x sudo awesome

1. -ac disables host-based access control and could possibly be omitted for a more secure setup but I haven't tried it
2. -br creates an initial black background in the child window. It's optional.
3. -screen sets the screen size. I'm ok with 800x600. Some people prefer a bigger screen. I doubt you'd want smaller.
4. :1.0 sets the Child display number. This DISPLAY should not already exist when calling the script. This is a good place for some recursion if you like coding. Some rainy day I'll probably add some.
5. &sends the server process into the background so you can use the child window for work.
6. sleep 1 gives the everything a chance to stretch before you tell the child to do something.
7. replace “xfce4-terminal -x” with a call (with proper execute options) to your favorite terminal emulator
8. sudo awesome runs the awesome wm.

That's it. I like this so much I even use it for shell work. Really don't know how I ever got on without it. It's especially nice when remote admin'ing bc awesome is really small and packs into ssh -x nicely.

Also note you can't c/p into the Xephyr session. It's not really a part of your normal DE it's just sharing space in the video buffer. You need ssh/scp/nfs/telnet to transfer data between the root session and your normal session.

tell you how to use awesome (tons of tutorials)
for as long as the world remains. for as long as time remains. so, too, will I remain. To serve. To help. And to make my contribution. Also please visit old friends at
Posts: 161
Joined: July 29th, 2011, 4:45 pm

Return to HowTo

Who is online

Users browsing this forum: No registered users and 1 guest