Linux display no protocol specified

How to resolve ‘No protocol specified’ for su user

I am trying to use an alternate user (non-admin) to execute graphical software on my system. This alternate user has been named and given a UID and GID to match a remote system user of the same name. The UID is 500 so I believe that makes the user a ‘non-login’ user. Starting from Ubuntu logged into my main account, I open a terminal and su to the alternate user. I then attempt to execute the command to start the application and receive ‘No protocol specified’. Is this because of the UID

10 Answers 10

In my case the new display server protocol wayland was the problem,

just do xhost + local: then other users (e.g. root) are allowed to run programs in your session, network connections however will not be allowed.

If you want to allow clients from any host, you can use xhost + without specifying any host at all. This is however unsafe, it would be better to just specify the host(s) for which you want to grant access to your session.

@danger89 while this does work it allows any host to connect to your session if you have no firewall rules to prevent remote access (Not every distribution has firewall rules which deny all incoming requests e.g. ubuntu does not have preconfigured rules to prevent access to servers like samba or apache which the user might want to install) so for new linux users this could become a problem. Personally I would limit the access just to be on the save side

This worked for me. but the problem is, I already ran the program before as su. Why, all of a sudden it stopped working without this inconvenience?

@MADforFUNandHappy however, that host would first have to connect via SSH or some similar means, i.e. it would still have to know the system password to use X services, right

The problem is not occurring because of the UID of the user. 500 is just fine as a UID, and that UID doesn’t make it a ‘non-login’ user except in the eyes of the default settings of some few display managers.

The error message No protocol specified sounds like an application-specific error message, and an unhelpful one at that, but I am going to guess that the error is that the application is unable to contact your X11 display because it does not have permission to do so because it’s running as a different user. Applications need a «magic cookie» (secret token) in order to talk to the X11 server so that other processes on the system running under other users cannot intrude on your display, create windows, and snoop your keystrokes. The other system user does not have access to this magic cookie because the permissions are set so that it is only accessible to the user who started the desktop environment (which is as it should be).

Try this, running as your original user, to copy the X11 cookie to the other account:

su - -c "unset XAUTHORITY; xauth add $(xauth list)" 

then run your application. You may also need to unset XAUTHORITY in that shell too. That command extracts the magic cookie ( xauth list ) from your main user and adds it ( xauth add ) to where the other user can get it.

Bizarrely, using your quoted command gives ‘su: must be run from a terminal’. But it is in a terminal.

@JCollins oops, yeah, that would be a problem if su wants to ask for a password. Try this new command.

@Celada, gold, worked a treat. Could you have a go at detailing what that command is doing and how? And maybe explaining why the original incarnation did not?

@JCollins you’ll have to redo it each time after you log out and log in because a brand new magic cookie gets generated each time. That’s normal, it’s part of the security model.

Suppose you want to brute force get yourself a connection with X.

Lets assume you are already running your commands on the server (where X runs), otherwise get that to work first and then use ‘ssh -X user@server’ from the client afterwards ;).

There might be several ways to run the xauth commands, for example, you might be using ‘sudo’, but that might lose or change environment variables. The following environment variables need to be preserved: DISPLAY and XAUTHORITY. To test if that is the case you could run ‘echo $XAUTHORITY’ in the same way you run your commands, but make sure you aren’t expanding the environment variables before you run those commands. For example, try: sudo bash -c ‘echo «$XAUTHORITY»‘ to see what XAUTHORITY really is after you run your sudo (if it disappears you might need to add something to your sudoers file, see elsewhere).

Eventually, run the following command as the user that you want to get access with, on the server:

This will show the ‘Authority file’ that will be used (/root/.Xauthority by default, for root, or something like /home/theuser/.Xauthority). If it shows the correct .Xauthority file then you don’t have to worry about the XAUTHORITY environment variable actually (actually, I wouldn’t know when it wouldn’t, except if you want to manipulate a non-standard place of that file).

Remove that file (if it even exists):

mv /root/.Xauthority /root/.Xauthority.bak

In the above command, replace /root/.Xauthority with the correct XAUTHORITY file for your case of course.

Recreate it, but empty (this is needed for a lot of commands):

At this point you’ll get the No protocol specified error, even if you got Invalid MIT-MAGIC-COOKIE-1 before. Find the authority file that the X server is using at the moment:

This should show something like:

root 1153 0.0 1.0 149560 44464 tty7 Ss+ dec02 0:00 /usr/lib/xorg/Xorg -nolisten tcp -auth /var/run/sddm/ -background none -noreset -displayfd 17 vt7

The file name after -auth is what you need in the next command. Run this as root:

That lists a 32 digit hexadecimal key. For example the output could be:

hostname/unix:0 MIT-MAGIC-COOKIE-1 c0eaf749aa252101a0f57d5087089db7

Use that to generate your .Xauthority file (as user who needs to login again):

xauth add $DISPLAY MIT-MAGIC-COOKIE-1 c0eaf749aa252101a0f57d5087089db7

replace ‘c0eaf749aa252101a0f57d5087089db7’ with what was returned by the list command for you. Now your .Xauthority should be size 51 bytes and you can connect to the X server (again).

PS If you start Xorg by running /usr/bin/startx , like me; then you might see something like:

root 1652 0.0 0.0 12788 5792 ? Ss jan20 0:00 login -- carlo carlo 1834 0.0 0.0 8140 3468 tty1 Ss jan20 0:00 \_ -bash carlo 1887 0.0 0.0 7404 3236 tty1 S+ jan20 0:00 \_ /bin/sh /usr/bin/startx carlo 1905 0.0 0.0 3912 828 tty1 S+ jan20 0:00 \_ xinit /home/carlo/.xinitrc -- /etc/X11/xinit/xserverrc :0 vt1 -keeptty -auth /tmp/serverauth.WWPpq4OSlA root 1906 1.2 0.7 25576848 235104 tty1 Sl jan20 207:56 \_ /usr/lib/Xorg -nolisten tcp :0 vt1 -keeptty -auth /tmp/serverauth.WWPpq4OSlA carlo 1917 0.0 0.0 143408 10884 tty1 Sl jan20 0:00 \_ startplasma-x11 

And the /tmp/serverauth.WWPpq4OSlA was deleted. See /usr/bin/startx script for how this works:

mcookie=`/usr/bin/mcookie` xserverauthfile=`mktemp -p /tmp serverauth.XXXXXXXXXX` trap "rm -f '$xserverauthfile'" HUP INT QUIT ILL TRAP KILL BUS TERM xauth -q -f "$xserverauthfile"  

[ka@archlinux ~]$ pavucontrol No protocol specified Unable to init server: Could not connect: Connection refused (pavucontrol:2751): Gtk-WARNING **: 21:53:02.704: cannot open display: :0

[ka@archlinux ~]$ scrot No protocol specified Can't open X display. It *is* running, yeah? [:0]

# pacman -S pstree $ pstree -uT 

# pacman -S pstree $ pstree -uT 

(pavucontrol:2751): Gtk-WARNING **: 21:53:02.704: cannot open display: :0

Unable to init server: Could not connect: Connection refused

(pavucontrol:2751): Gtk-WARNING **: 21:53:02.704: cannot open display: :0

Unable to init server: Could not connect: Connection refused

export XDG_RUNTIME_DIR=/run/user/1000 export XAUTHORITY="XDG_RUNTIME_DIR"/Xauthority

user-authority-in-system-dir=true

[ka@archlinux ~]$ hostnamectl Static hostname: archlinux Icon name: computer-desktop Chassis: desktop Machine ID: be3055d227fb46a094ca1c2ca41374cd Boot ID: 937964e08cd24a73b4a1314953b52232 Operating System: Arch Linux Kernel: Linux 5.4.69-1-lts Architecture: x86-64

[ka@archlinux ~]$ pstree -uT systemd─┬─NetworkManager ├─accounts-daemon ├─alacritty(ka)───zsh───nvim───node ├─alacritty(ka)───zsh───pstree ├─dbus-daemon(dbus) ├─lightdm─┬─Xorg │ └─lightdm───awesome(ka) ├─lvmetad ├─polkitd(polkitd) ├─rtkit-daemon(rtkit) ├─systemd(ka)─┬─(sd-pam) │ ├─at-spi-bus-laun │ ├─dbus-daemon │ ├─gvfsd │ ├─gvfsd-fuse │ └─pulseaudio───gsettings-helpe ├─systemd-journal ├─systemd-logind ├─systemd-timesyn(systemd-timesync) ├─systemd-udevd ├─upowerd └─zsh(ka)───MainThread─┬─Privileged Cont ├─8*[Web Content] └─WebExtensions

No protocol specified Can't open display :0

No protocol specified xhost: Can't open display :0