Securing Xvfb on a multi-user system

Roland Mainz roland.mainz at
Tue Jan 27 08:16:32 PST 2015

On Tue, Jan 13, 2015 at 11:22 PM, Billy Wilson <billy_wilson at> wrote:
> Hi,
> I have a question about using Xvfb securely on a multi-user system. We are
> currently using  xorg-x11-server-Xvfb-1.10.4-6.el6.x86_64. Our main reason
> for using Xvfb is to accommodate one of our users, whose scientific
> computing software requires an X server for some reason.
> My concern is that if the non-privileged user runs the following: `Xvfb :1
> -screen 0 800x600x24+1`
> Any user on the system is able to export DISPLAY=:1 and run programs that
> connect to his dummy X server. I'm aware of auth file and xhost mechanisms
> for access control, but I was wondering how I can have Xvfb restrict
> connections strictly to the user, by default.
> In other words: How can I prevent an uninformed user from using the Xvfb
> defaults and opening X to the world?

See Xsecurity(7) manual page... the SUN-DES-1 MIT-KERBEROS-5 and
ServerInterpreted auth (see $ xhost +si:localuser:root # example in
the man page, likely your preference if you only need Xvfb locally)
are user-to-user authentification mechanisms...



  __ .  . __
 (o.\ \/ /.o) roland.mainz at
  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 641 3992797
 (;O/ \/ \O;)

More information about the xorg mailing list