在其他机器上作为其他用户使用 Emacs 服务器和 emacsclient [英] Using Emacs server and emacsclient on other machines as other users

问题描述

我知道在现有 Emacs 会话中调用 (start-server) 之后，我可以使用 emacsclient -c(在同一台计算机上)创建新框架连接到该服务器，以便 emacsclient 创建的每个新帧都可以访问相同的共享状态集(例如缓冲区).

我发现的大多数文档都侧重于让我快速访问本地 Emacs"用例，因此有两件事我还没有看到任何细节:

1. emacsclient -c 是否可以访问由其他 用户启动的 Emacs 服务器，还是只能检测由我自己的用户启动的会话?p>

2. Emacs 服务器(直接或间接)支持远程连接吗?也就是说，有没有办法设置 Emacs(可能涉及 SSH)，允许在 远程 机器上调用 emacsclient -c 以访问本地 我的 Emacs 服务器的状态?

(如果您还没有猜到，我最终想做的是结合上述两种技术来提供基本的协作编辑支持.)

<小时>

这是一个现实世界的问题，所以这是我正在处理的问题:

• 必要的功能应该已经内置到 Emacs 中(23.3.1，64 位).我可以从标准的 Ubuntu 存储库扩展到 Emacs 扩展，但我不想这样做.(遗憾的是，我认为这排除了 Rudel.)
• 没有新用户或用户欺骗.解决方案应适用于现有的用户帐户集，并且用户不得伪装成其他用户(例如通过 su 或 ssh).

如果有什么不同的话，这些机器都在一个私有局域网上，安装(并运行)了 OpenSSH 客户端和服务器，并且所有用户都可以连接到(他们自己的帐户)所有机器，但他们没有共享文件系统.

<小时>

那么，有没有人知道Emacs服务器是否可以

• 授予其他用户访问权限，或
• 提供远程访问?

编辑

正如 rwb 的回答所评论的，很明显，通过运行 emacsclient -c 在本地打开的新窗口实际上是由 remote Emacs 服务器进程创建的.也就是说，emacsclient 只是触发了服务器中的相关行为.这会导致一些显示设置不正确的问题，因为服务器通常无法访问本地桌面(见下文).但是，如果我使用以下命令序列，我现在可以连接到远程 Emacs 会话:

在一个终端中，其中1.22.333.44是remotehost的IP地址:

ssh -t -X 远程主机 "emacs -nw --eval'(progn (setq server-host "1.22.333.44" server-use-tcp t) (server-start))'"

然后在另一个(在同一台机器上):

scp remotehost:.emacs.d/server/server/tmp/server-file显示=本地主机:10 emacsclient -c -f/tmp/server-file

emacsclient 命令导致远程 Emacs 服务器(它在 /tmp/server-file 中找到详细信息)打开一个图形 Emacs 窗口(在本地display) 与远程主机上的 Emacs 会话共享状态.

由于远程 Emacs 服务器是通过 ssh -X 启动的，SSH 为其提供了通过假":10 显示访问我的本地显示的权限.传递给它的 DISPLAY=:10(通过 emacsclient)因此导致在我的本地桌面上打开一个窗口.

<小时>

虽然上面的方法确实勾选了在远程机器上运行 Emacs 服务器，使用 emacsclient 本地连接到它"框，但它非常有限.实际上，作为单个用户在本地运行服务器和客户端并没有太大区别:唯一的区别是服务器现在是远程的，因此可以访问不同的系统资源.

不幸的是，通过 ssh -X 启动是我能够在另一台机器的 X 服务器上成功打开窗口的唯一方法:

• 指定一个基本的 DISPLAY=remote:0 无处可去(因为 Ubuntu X 服务器是用 -nolisten tcp 选项启动的).

• 通过 SSH 连接然后使用 DISPLAY=:0 也失败了，但这一次只是因为缺少合适的身份验证凭据.(无论如何，我相信情况确实如此:错误消息隐晦地说No protocol specified/Can't open display.)

我认为找到解决第二个问题的方法可能会让我更接近解决方案.

<小时>

已阅读 http://comments.gmane.org/gmane.emacs 上的帖子.devel/103350(从10 月 25 日 14:50"的帖子开始，大约一半)我开始怀疑这是否可能是 Emacs 不能做的罕见事情之一(即不可能；-) ).

但是，如果有人确实有办法提供对远程 X 显示器的访问而不会出现上述权限错误，我仍然愿意接受劝说....

TL;DR

正如 rwb 的回答所指出的，我上面关于 Emacs 是否可以授予远程访问权限的问题让事情倒退了.Emacs 授予其他用户访问权限并没有真正的问题(server-use-tcp 和合适的 server-file 处理这个问题):问题在于 如何允许一台机器上的进程在其他用户的 X 显示器上打开新的 X 窗口(具体来说，运行 (start-server) 的 Emacs 需要为询问它的用户打开窗口通过 emacsclient -c).这个答案超出了这个问题的范围.

替代解决方案

作为一种解决方法，我们使用以下方法:

• machine0:tmux -S/tmp/shared-tmux-socket new-session
• machine1..machineN: ssh -t machine0 tmux -S/tmp/shared-tmux-socket attach

在 /tmp/shared-tmux-socket 上具有合适的文件权限.

然后我们在共享终端中运行文本模式的 Emacs.:-) 这确实提出了一些欺骗用户的问题，但至少主持人可以看到客人在做什么.

解决方案

我认为根据定义，您所要求的内容是不可能的，因为如果您授予远程用户不受限制地访问您的 Emacs 的权限，这与用户欺骗"作为让该远程用户通过 ssh 访问 shell.明确地说，从安全的角度来看，这可能是个坏主意.

此外，让两个用户访问一个 Emacs 的结果并不像您希望的那么好.它的设计没有考虑到同时访问.我已经好几年没试过了，所以事情可能会有所进展，但是当我这样做时，至少可以说是古怪的.

不过，我会尽量回答你的问题.

这听起来像是从后到前考虑这个问题，因为与直觉相反，在网络术语中，X11 显示器是服务器，而 X11 应用程序是客户端.这是令人惊讶的，因为通常显示对用户来说是本地的，并且应用程序在某个远程服务器上运行.

您可以指示正在运行的 emacs 连接到远程显示器并使用 M-x make-frame-on-display 打开一个新窗口.为此，该显示器的所有者需要授予您访问权限.

我们假设 host-l 是运行 Emacs 的计算机，并且您想让 host-r 上显示 0 的用户可以访问它.请注意，您已经说过不想使用 SSH 转发，因此遵循此方法将导致所有流量将通过网络未加密.

首先，确保显示 host-r:0 正在接受 TCP 连接.您没有提到您的操作系统，但这可能是 Unix 上的默认设置，而 Linux 上可能没有(出于安全原因).例如，如果下面提到 -nolisten tcp，那么您需要更改此配置.

host-r$ ps -ef |格雷普X

接下来，让 host-r 的用户运行以下命令，并将输出发送给您.请务必警告他们，如果您愿意，这将使您能够完全控制他们当前的桌面会话.

host-r$ xauth list $DISPLAY主机-r/unix:0 MIT-MAGIC-COOKIE-1 01234567890abcdef0123456789abcd

这实际上是显示的密码".在 host-l 上，把它放在 Emacs 可以找到的地方:

host-l$ xauth add host-r:0 MIT-MAGIC-COOKIE-1 01234567890abcdef0123456789abcd

现在输入 M-x make-frame-on-display host-r:0，远程显示器上会弹出一个 Emacs 窗口.

I know that after I call (start-server) inside an existing Emacs session I can then use emacsclient -c (on the same computer) to create new frames that connect into that server, so that each new frame created by emacsclient has access to the same set of shared state (e.g. buffers).

Most of the documentation I've found focuses on the "give me fast access to my local Emacs" use case, and so there are two things that I haven't seen any details of yet:

1. Can emacsclient -c access Emacs servers started by other users, or is it hard-wired to detect only sessions started by my own user?

2. Does Emacs server (directly or indirectly) support remote connections? That is, is there some way to set up Emacs (possibly involving SSH) that allows calls to emacsclient -c on remote machines to have access to the local state of my Emacs server?

(In case you haven't already guessed, what I'd ultimately like to do is combine the two techniques above to provide rudimentary collaborative editing support.)

---

This is a real-world problem, so here's what I'm working with:

• The necessary functionality should be built into Emacs already (23.3.1, 64-bit). I can stretch to Emacs extensions from the standard Ubuntu repositories, but I'd prefer not to. (Which I believe rules out Rudel, sadly.)
• No new users or user spoofing. Solutions should work with the existing set of user accounts, and users must not pretend to be other users (e.g. via su or ssh).

If it makes any difference, the machines are on a private LAN, have OpenSSH clients and servers installed (and running), and all users can connect to (their own account on) all machines, but they have no shared filesystem.

---

So, does anybody know whether Emacs server can

• grant access to other users, or
• provide remote access?

EDIT

As commented in rwb's answer, it's clear that the new windows being opened locally by running emacsclient -c are actually being created by the remote Emacs server process. That is, emacsclient is simply triggering the relevant behaviour in the server. This causes some issues with incorrect display settings, since the server does not normally have access to the local desktop (see below). However, I can now connect in to a remote Emacs session if I use the following sequence of commands:

In one terminal, where 1.22.333.44 is the IP address of remotehost:

ssh -t -X remotehost 
  "emacs -nw --eval
   '(progn (setq server-host "1.22.333.44" server-use-tcp t) (server-start))'"

Then in another (on the same machine):

scp remotehost:.emacs.d/server/server /tmp/server-file
DISPLAY=localhost:10 emacsclient -c -f /tmp/server-file

The emacsclient command causes the remote Emacs server (which it finds details of in /tmp/server-file) to open up a graphical Emacs window (on the local display) that shares state with the Emacs session on the remote host.

Since the remote Emacs server was started via ssh -X, SSH provides it with access to my local display via a "fake" :10 display. The DISPLAY=:10 passed to it (via emacsclient) thus causes a window to be opened on my local desktop.

---

Although the approach above does tick the "Run Emacs server on remote machine, connect to it using emacsclient locally" box, it's very limited. In fact, it's not much different to running the server and clients all locally as a single user: the only difference is that the server is now remote, so has access to different system resources.

Unfortunately, launching via ssh -X is the only way I've been able to successfully open a window on a different machine's X server:

• Specifying a basic DISPLAY=remote:0 gets nowhere (since Ubuntu X servers are started with the -nolisten tcp option).

• Connecting via SSH and then using DISPLAY=:0 also fails, but this time only due to lack of suitable authentication credentials. (I believe that's the case, anyway: the error message cryptically says No protocol specified / Can't open display.)

I think that finding a way around the second problem would probably get me a good deal closer to a solution.

---

Having read the posts at http://comments.gmane.org/gmane.emacs.devel/103350 (starting at the '25 Oct 14:50' post, about half way down) I'm starting to wonder if this might be one of the rare things that Emacs cannot do (i.e. is impossible ;-) ).

However, if anyone does have a way to provide access to remote X displays without the permissions error above, I'm still open to persuasion....

TL;DR

As pointed out by rwb's answer, my questions above about whether Emacs can grant remote access have got things backwards. There's no real problem with Emacs granting access to other users (server-use-tcp and a suitable server-file take care of this): rather the problem is how to allow a process on one machine to open new X windows on other users' X displays (specifically, the Emacs running (start-server) needs to open windows for users who ask it to via emacsclient -c). That answer's beyond the scope of this question.

Alternative solution

As a workaround, we use the following:

• machine0: tmux -S /tmp/shared-tmux-socket new-session
• machine1..machineN: ssh -t machine0 tmux -S /tmp/shared-tmux-socket attach

with suitable file permissions on /tmp/shared-tmux-socket.

Then we run a text-mode Emacs in the shared terminal. :-) This does raise some user-spoofing questions, but at least the host can see everything that the guests are doing.

解决方案

I think what you're asking for is impossible by definition, because if you give a remote user unrestricted access to your Emacs, this is just as much "user spoofing" as letting that remote user access a shell via ssh. To spell it out, from a security point of view this is probably a bad idea.

Also, the results of letting two users access one Emacs aren't as good as you might hope. It isn't designed with simultaneous access in mind. It's years since I tried it, so things might have moved on a bit, but when I did it was quirky to say the least.

Still, I'll try to answer your question.

It sounds like you're thinking about this back-to-front, because, counter-intuitively, in network terms, the X11 display is the server, and the X11 application is the client. This is surprising because typically the display is local to the user and the application is running on some remote server.

You can instruct a running emacs to connect to a remote display and open a new window with M-x make-frame-on-display. For this to work, the owner of that display will need to grant you access to it.

We will assume host-l is the computer that is running Emacs, and that you want to make it accessible to a user of display 0 on host-r. Be aware that you've said you don't want to use SSH forwarding, so following this method will cause all traffic will go across the network unencrypted.

First, make sure that display host-r:0 is accepting TCP connections. You don't mention your operating system, but this is probably the default on Unix and probably isn't on Linux (for security reasons). If, for example, the following mentions -nolisten tcp then you'll need to change this configuration.

host-r$ ps -ef | grep X

Next, get the user of host-r to run the following, and send you the output. Be sure to warn them that this will allow you to take complete control of their current desktop session, should you choose.

host-r$ xauth list $DISPLAY
host-r/unix:0  MIT-MAGIC-COOKIE-1  01234567890abcdef0123456789abcd

This is, effectively, the "password" for the display. On host-l, put it where Emacs will be able to find it with:

host-l$ xauth add host-r:0 MIT-MAGIC-COOKIE-1  01234567890abcdef0123456789abcd

Now enter M-x make-frame-on-display host-r:0 and an Emacs window should pop up on the remote display.

这篇关于在其他机器上作为其他用户使用 Emacs 服务器和 emacsclient的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！