About xhost security policies

Glynn Clements glynn at gclements.plus.com
Sun Jan 7 01:59:12 PST 2007 

danielsforummail wrote:

> I am doing maintenance on a Java application that acts like a X
> client. This java application connects to the X server over a TCP
> socket at 127.0.0.1:6000.

IOW, it *is* an X client.

BTW, why are you using a TCP connection to localhost:6000 rather than
the Unix-domain socket /tmp/.X11-unix/X0? I.e. why
DISPLAY=127.0.0.1:0.0 rather than DISPLAY=:0.0? A Unix-domain socket
has much lower overhead, as the data doesn't have to traverse the
kernel's networking stack.

> In order to have the X server accept the connection from my Java
> application, I discovered that first I have to enable TCP
> connections (for example, by editing the fdm.conf file) and then run
> "xhost + localhost".

Using xhost is usually the wrong solution, as it allows *all* users on
a given host to access the X session.

> It is not clear why I have to run "xhost + localhost".

Because you're trying to run the client under an account other than
the one which owns the X session. Allowing every user on the system to
access your X session is normally considered a bad idea.

> If I set DISPLAY=127.0.0.1:0.0 and run xeyes, it appears on my
> display _without_ need of "xhost + localhost". But running xeyes as
> another user on the same machine requires again "xhost + localhost".
> 
> Asking netstat about the TCP connections, I discovered that they are
> similar for xeyes and the java app. I suppose that the security
> verification checks the socket address and something else that I
> cannot figure out.

X clients authenticate themselves to the server by passing the
authentication credentials from the file specified by $XAUTHORITY (or
$HOME/.Xauthority if $XAUTHORITY is unset). This file is normally only
readable by its owner, so other users on the same system can't access
the X session.

If you want to grant other accounts access to your X session, extract
the authentication credentials using "xauth extract ...", transfer
them to the other account, then have that account add them to its own
~/.Xauthority file using "xauth merge ...".

> Is there some documentation or specification available online about
> the xhost authentication policy? Or does someone have deeper
> knowledge about?

	man xauth

-- 
Glynn Clements <glynn at gclements.plus.com>

More information about the xorg mailing list