About xhost security policies

Daniel Felix Ferber danielsforummail at terra.com.br
Mon Jan 8 11:17:18 PST 2007

Dave and Glynn, thanks for the advices. Now I understand why (and why 
not) some of my cases were working. But, IMHO, I think that the man 
pages are not very clear how X security works. And all other forums or 
pages document how, but not why... and they were not covering my case.

I was misunderstood by believing that a local x client is allowed to run 
on the local x server due to some special rule that always allows local 
clients from the same user that started the server. That was the (wrong) 
impression I got by experimenting with the x server.

Now I know that the local client works without "xhost +localhost" not 
because it is local, but because it can read and send credentials from 
the .Xauthority file or the file pointed from the XAUTHORITY environment 
variable (I did not notice this variable before).

A local sudoed x client cannot run even if it inherits the environment 
variables and home dir, because it cannot read the credentials file from 
the original user.

Please correct me if I am wrong: the x server first tests rules added to 
by the xhost, if this fails, it tests credentials from xauth.

My Java application cannot send credentials simply because it is not 
aware about the .Xauthority file or the file pointed from the XAUTHORITY 
environment variable, although it has access to them. Therefore, the 
only way is giving permissions for connections from localhost for the user.

I am aware of better authentication methods that xhost and know that 
unix-domain sockets would be better. Unfortunately I am working with a 
legacy application that does not implement credentials and Java does not 
support unix-domais sockets.

I really appreciated your help. Thanks again.
Daniel Felix Ferber

Dave Airlie escreveu:
>> If you want to grant other accounts access to your X session, extract
>> the authentication credentials using "xauth extract ...", transfer
>> them to the other account, then have that account add them to its own
>> ~/.Xauthority file using "xauth merge ...".
> or use server interpreted,
> xhost +si:localuser:username
> Dave.
>> > Is there some documentation or specification available online about
>> > the xhost authentication policy? Or does someone have deeper
>> > knowledge about?
>>         man xauth
>> -- 
>> Glynn Clements <glynn at gclements.plus.com>
>> _______________________________________________
>> xorg mailing list
>> xorg at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/xorg

More information about the xorg mailing list