xauth clarifications

Sylvain Leroux sylvain at chicoree.fr
Wed Feb 21 11:45:27 UTC 2018


Hi everyone,

I'm trying to understand the internals of the xauth authentification
protocol, especially in the context of making the X display accessible
to locally running Docker containers.

I know if I add a cookie to the ".Xauthority" file of the X session
owner and a guest has the same MIT-MAGIC-COOKIE-1 that later is
granted access to the X server.  And indeed it works nicely.

But I try to understand *how* it works. There are at least three
things that are not clear in my mind. And Xserver(1) and Xsecurity(7)
were not of very much help here:


1) When is the "$XAUTHORITY" file (re-)read by the server?
================================================
According to the Xauth man:
"""
Note that this program [xauth] does not contact the X server except
when the generate command is used.
"""

But it _seems_ to me when I update the cookie with "xauth add ..."
from Xephyr, the X server takes that change into account immediately.

Does that mean the ".Xauthority" file of the session owner is checked
each time a new client is trying to connect to the server?


2) When is the system authorization cookie generated?
================================================
On my system, Xorg (Debian Linux w/lightdm) is started with the option
"-auth /var/run/lightdm/root/:0"
":0" is an xauth file.

If I understand it correctly, this is the authorization file the
client $AUTHORIZATION credentials are checked against.

But how that ":0" file is initially populated? On my system, the
cookie seems to change each time I restart the X server. But somehow
the new cookie _seems_ to be propagated to the logged in user
$XAUTHORIZATION file.

Is there a way to ensure a cookie will remain valid across Xorg restarts?


3) Are Xorg and Xephyr handling xauth the same way?
================================================
I'm using both a genuine Xorg server and Xephyr.

Are both of them consistent in their way to handle xauth authorizations?



Sorry for that long message. But as you've seen, things are unclear in
my mind. So any comment or pointer to the relevant documentation would
be very appreciated.


Thanks in advance for your help,
- Sylvain


PS/FWIW I'm running:
- Linux Debian 9.0
- xfce 4.12
- lightdm 1.18
- xorg/xephyr 1.19.2


-- 
-- Sylvain Leroux
-- sylvain at chicoree.fr
-- http://www.chicoree.fr


More information about the xorg mailing list