Securing Xvfb on a multi-user system

Aivils Štoss aivils at
Sat Jan 17 06:08:33 PST 2015

Citējot Billy Wilson <billy_wilson at>:

> Hi,
> I have a question about using Xvfb securely on a multi-user system.  
> We are currently using xorg-x11-server-Xvfb-1.10.4-6.el6.x86_64. Our  
> main reason for using Xvfb is to accommodate one of our users, whose  
> scientific computing software requires an X server for some reason.
> My concern is that if the non-privileged user runs the following:  
> `Xvfb :1 -screen 0 800x600x24+1`

probably You cant start it without TCP protocol

$ Xvfb :1 -screen 0 800x600x24+1 -nolisten tcp

and after successful start restrict the socket file

$ chmod 0600 /tmp/.X11-unix/X1

> Any user on the system is able to export DISPLAY=:1 and run programs  
> that connect to his dummy X server. I'm aware of auth file and xhost  
> mechanisms for access control, but I was wondering how I can have  
> Xvfb restrict connections strictly to the user, by default.
> In other words: How can I prevent an uninformed user from using the  
> Xvfb defaults and opening X to the world?
> Thanks,
> Billy Wilson

More information about the xorg mailing list