I have found two other posts with relevant information, but not a solution that I can use:
Launch Terminal From Crontab - openSUSE Forums
and
Cron & Kdialog: Cannot Connect To X Server - openSUSE Forums
What I need to do is inform any users that are currently logged in and has an X Session running, that their compliance in security has dropped according to the Center for Internet Security (CIS) standards. I have all the necessary sub-routines built to determine the above but I have had little success with deploying a GTK+2 widget explaining their drop in CIS compliance.
I have had success using the notification daemon when obtaining the users DBUS_SESSION_BUS_ADDRESS. But due to the lack of usability of said daemon, I have had to build our own GTK application. Not to mention, this has to work across multiple platforms (Ubuntu, CentOS, Gentoo, etc). And I won’t comment on Ubuntu’s new implementation of the Notify-OSD… Which has forced us to build our own GTK application.
###What I have tried thus far###
Environment:
crontab is set to run a verification script as follows:
30 9 * * 1-5 root /usr/share/MSCs/verify_MSCs >/dev/null 2>&1
verify_MSCs script:
Once complete, and has determined there is a user logged into an X session:
Methods Tried:
export DISPLAY=:0.0
/some/long/path/./msc_compliance arg1 arg2 etc...
export DISPLAY=:0.0
export XAUTHORITY="/home/$user/.Xauthority"
/some/long/path/./msc_compliance arg1 arg2 etc...
su $user -c "/some/long/path/msc_compliance arg1 arg2 etc..."
su $user -c "DISPLAY=:0.0 /some/long/path/msc_compliance arg1 arg2 etc..."
Note* All the msc_compliance application does is displays a list of failing components and allows them to browse their compliance history (web based).
What does work with the notification_daemon (if anyone is interested and in the hopes that I have helped someone ):
KDE folks:
su $user -c "DBUS_SESSION_BUS_ADDRESS=$(grep -z DBUS_SESSION_BUS_ADDRESS /proc/$(ps -au $user | grep -i "KDEINIT" | grep -v "START_KDEINIT" | awk '{ print $1 }')/environ | sed -e 's/DBUS_SESSION_BUS_ADDRESS=//') $(whereis notify-send | awk '{ print $2 }') -u normal -t 28800000 \"MSC compliance has changed due to a system change\" \"$TMPSCR\""
GNOME folks:
su $user -c "DBUS_SESSION_BUS_ADDRESS=$(grep -z DBUS_SESSION_BUS_ADDRESS /proc/$(ps -au $user | grep -i "gnome-session" | awk '{ print $1 }')/environ | sed -e 's/DBUS_SESSION_BUS_ADDRESS=//') $(whereis notify-send | awk '{ print $2 }') -i flag.png -u normal -t 28800000 \"MSC compliance has changed due to a system change\" \"$TMPSCR\""
$TMPSCR being the actual message.
$user being… well the user name of course.
-t 28800000 milliseconds to keep the display from building up multiple notifications on the users screen if the user is on vacation or the like. I don’t want them coming back to a storm of compliance drop messages on their screen
So… my question is basically, how do you start a GUI program for another user? Just like how the other platforms display a GUI program when updates are available… (like most do, so I know its possible)
Any suggestions are welcome! But please, keep in mind this needs to be done for around 5000 computers… And that the only control we have is through a crontab script. No possibility to go around and physically touch each computer.
I have toyed with the idea of having the verify script save a log file, text file or what-ever-file, and then have a users crontab run some kind of script to display the contents of this file… something like that… but can root modify a users crontab file? Because I see so many references about “DO NOT modify the users crontab directly” So I am reluctant to go that route.
Please excuse the lengthy POST! I wanted to be thorough