An MIT-MAGIC-COOKIE is a security token that an X11 client application must possess in order to be allowed to connect to the display server. This is to stop other users on the machine from connecting malicious clients to your display, snooping your keyboard and windows. Your cookies are stored in the file $HOME/.Xauthority.
(These days, direct X11 connections over the network are not allowed; they must be tunnelled by SSH. You do not need to copy magic cookies between machines. SSH creates a fake local display, localhost:10.0, with a fake cookie, and writes it into .Xauthority. When a client connects, SSH checks its local cookie, forwards the connection over the secure tunnel, and then connects to the real display using the real cookie.)
sudo normally starts processes with a clean environment for the target user (Defaults env_reset), instead of passing your environment variables. That means HOME=/root instead of HOME=/home/pi. An X11 client run under sudo will look in the wrong place for the .Xauthority file, and will not find the cookie necessary to connect to your ssh-tunnelled display.
Adding HOME to env_keep means that the variable will not be reset when sudo starts a privileged process. This does increase the risk that files owned by root will be written into /home/pi.
You can also override variables for individual commands:
Code: Select all
sudo HOME=~ xclient
sudo XAUTHORITY=~/.Xauthority xclient
gksu xclient
The first tells sudo to pass HOME=/home/pi. The second passes HOME=/root, but tells the client where to find the correct cookies. gksu is a front end for su and sudo that specifically supports launching GUI applications.
All of these solutions depend on the fact that root can read pi's .Xauthority file. In general if you want to start a client as another user you will have permissions problems as well.
Ideally, you should not run GUI applications as root. They are usually not intended for system administration and may not be safe when you give them write access to
everything.
