About xhost security policies
Glynn Clements
glynn at gclements.plus.com
Sun Jan 7 01:59:12 PST 2007
danielsforummail wrote:
> I am doing maintenance on a Java application that acts like a X
> client. This java application connects to the X server over a TCP
> socket at 127.0.0.1:6000.
IOW, it *is* an X client.
BTW, why are you using a TCP connection to localhost:6000 rather than
the Unix-domain socket /tmp/.X11-unix/X0? I.e. why
DISPLAY=127.0.0.1:0.0 rather than DISPLAY=:0.0? A Unix-domain socket
has much lower overhead, as the data doesn't have to traverse the
kernel's networking stack.
> In order to have the X server accept the connection from my Java
> application, I discovered that first I have to enable TCP
> connections (for example, by editing the fdm.conf file) and then run
> "xhost + localhost".
Using xhost is usually the wrong solution, as it allows *all* users on
a given host to access the X session.
> It is not clear why I have to run "xhost + localhost".
Because you're trying to run the client under an account other than
the one which owns the X session. Allowing every user on the system to
access your X session is normally considered a bad idea.
> If I set DISPLAY=127.0.0.1:0.0 and run xeyes, it appears on my
> display _without_ need of "xhost + localhost". But running xeyes as
> another user on the same machine requires again "xhost + localhost".
>
> Asking netstat about the TCP connections, I discovered that they are
> similar for xeyes and the java app. I suppose that the security
> verification checks the socket address and something else that I
> cannot figure out.
X clients authenticate themselves to the server by passing the
authentication credentials from the file specified by $XAUTHORITY (or
$HOME/.Xauthority if $XAUTHORITY is unset). This file is normally only
readable by its owner, so other users on the same system can't access
the X session.
If you want to grant other accounts access to your X session, extract
the authentication credentials using "xauth extract ...", transfer
them to the other account, then have that account add them to its own
~/.Xauthority file using "xauth merge ...".
> Is there some documentation or specification available online about
> the xhost authentication policy? Or does someone have deeper
> knowledge about?
man xauth
--
Glynn Clements <glynn at gclements.plus.com>
More information about the xorg
mailing list