X security query

Alan Coopersmith Alan.Coopersmith at Sun.COM
Wed Aug 19 07:38:03 PDT 2009 

Thomi Richards wrote:
> I'm trying to write an application that runs as a daemon and monitors
> running X sessions. Right now I'm struggling to find documentation
> regarding the X security model. 

Start with the Xsecurity man page (if it's not installed in your distro,
the nroff source is at:
http://cgit.freedesktop.org/xorg/doc/xorg-docs/tree/man/general/Xsecurity.man )

> In my test environment, the X server is started like this:
> 
> /usr/bin/X -br -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-QBEVDj
> 
> That file contains a single entry, that looks like this:
> 
> #ffff##:  MIT-MAGIC-COOKIE-1  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> 
> 
> by adding an entry to ~/.Xauthority with the same hex key, I can
> connect to the X server. However, this is difficult because I need to
> programmatically find the auth file the X server is using (the
> location of which I guess will change from distro to distro, and
> probably from one boot to the next), 

The auth directory should be constant on a given distro, but the file name
is a random string that changes every time the X server process is
restarted.

> then query it, then write a new
> auth file. If the process is running as a daemon, it might not have a
> home directory, so how do I know where to write the new entries to?

You can setenv XAUTHORITY to the file name to look for cookies in - if
your daemon is running as root, it could even be set to the /var/run/...
file itself.

> Ideally, what I'm looking for is a way to bypass the need to have the
> xauth cookie in ~/.Xauthority, or even to know what the cookie is at
> all. I realise that this is unlikely - what good is a security model
> if it's easily bypassed? but I'm hoping someone on this list may have
> a few good ideas. Is there a way to specify that my process is
> privileged and thus should automatically be given access to any
> display on the local machine?

Modern X servers on current platforms allow authentication by username
or groupname - "xhost +si:localuser:root" for instance.   I think, but
don't remember ever trying, that you can include these in the default
authentication list in /etc/X0.hosts (replace 0 with the display id for
Xservers other than :0).

-- 
	-Alan Coopersmith-           alan.coopersmith at sun.com
	 Sun Microsystems, Inc. - X Window System Engineering

More information about the xorg mailing list