Auth cookie in localhost displays?

[Ian Liu Rodrigues]

Hello all,

I am Ian Liu and this is my first post to this list, salute.

*Short description*
Why X11 doesn't include the authorization cookie when DISPLAY's host is
localhost? Is there a way to include it?

*Long description*
I work on a project where we do X11 forwarding "by hand", meaning that we
manually register xauth cookies and set displays. We may have a scenario
like this: machine *A* connects to *B* which connects to *C* via locally
bind'ed TCP. The bridge between the machines is done with SSH forwards.

The display is on machine *A*, and a graphical program runs on *C*, so we
make SSH tunnels between *A**B* and *B**C*, and export the DISPLAY variable
in *C* to *localhost:port*, where *port* is the port forwarded by the ssh
tunnel, minus 6000.

When the connection reaches *A*, usually we must forward the incoming TCP
connection to the X11 unix domain socket (/tmp/.X11-unix/X0). We did this
by writing our own TCP to Unix socket forwarder. But our forwarder creates
a security issue when executed by the user. It allows arbitrary users to
export their display to the first one's display.
So, what we did was to make the same check SSH does when forwarding X,
which is to compare the xauth cookie that arrives in the header of a X
connection.

But, if the display exported is localhost, X doesn't send the authorization
cookie, and we cannot validate it anymore. Is there a reason for this?

I hope I was clear enough, please advice me if nothing was understood.

Kind regards,
Ian L. Rodrigues.

PS.: The project I work on is Free software, available here:
bitbucket.org/gebrproject/gebr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x.org/archives/xorg/attachments/20130116/47df29cd/attachment.html>