About xhost security policies
Daniel Felix Ferber
danielsforummail at terra.com.br
Mon Jan 8 11:17:18 PST 2007
Dave and Glynn, thanks for the advices. Now I understand why (and why
not) some of my cases were working. But, IMHO, I think that the man
pages are not very clear how X security works. And all other forums or
pages document how, but not why... and they were not covering my case.
I was misunderstood by believing that a local x client is allowed to run
on the local x server due to some special rule that always allows local
clients from the same user that started the server. That was the (wrong)
impression I got by experimenting with the x server.
Now I know that the local client works without "xhost +localhost" not
because it is local, but because it can read and send credentials from
the .Xauthority file or the file pointed from the XAUTHORITY environment
variable (I did not notice this variable before).
A local sudoed x client cannot run even if it inherits the environment
variables and home dir, because it cannot read the credentials file from
the original user.
Please correct me if I am wrong: the x server first tests rules added to
by the xhost, if this fails, it tests credentials from xauth.
My Java application cannot send credentials simply because it is not
aware about the .Xauthority file or the file pointed from the XAUTHORITY
environment variable, although it has access to them. Therefore, the
only way is giving permissions for connections from localhost for the user.
I am aware of better authentication methods that xhost and know that
unix-domain sockets would be better. Unfortunately I am working with a
legacy application that does not implement credentials and Java does not
support unix-domais sockets.
I really appreciated your help. Thanks again.
Daniel Felix Ferber
Dave Airlie escreveu:
>> If you want to grant other accounts access to your X session, extract
>> the authentication credentials using "xauth extract ...", transfer
>> them to the other account, then have that account add them to its own
>> ~/.Xauthority file using "xauth merge ...".
> or use server interpreted,
> xhost +si:localuser:username
>> > Is there some documentation or specification available online about
>> > the xhost authentication policy? Or does someone have deeper
>> > knowledge about?
>> man xauth
>> Glynn Clements <glynn at gclements.plus.com>
>> xorg mailing list
>> xorg at lists.freedesktop.org
More information about the xorg