Markus Kuhn Markus.Kuhn at cl.cam.ac.uk
Wed Dec 7 14:48:41 UTC 2016

Historically, the X authority file was placed into $HOME/.Xauthority
such that X11 clients on remote servers could access it in environments
in which $HOME is located on a network file system.

Today, this practice has become an anachronism that causes far
more problems than it solves:

a) Remote X11 clients are typically started today via "ssh -X",
which emulates its own X11 server port $DISPLAY and therefore
always creates its own X authority file entry on the remote server.
Therefore, there is no longer any practical benefit from having
the X authority file located in $HOME.

b) If $HOME is on a network file system that implements "root squash",
then commands such as "sudo xterm" or "sudo wireshark" won't work to
start an X client with root privileges, as root is not able to
read ~/.Xauthority via NFS. :-(

c) If $HOME is on a network file system with Kerberos authentication,
then users can easily get locked out by their screensavers once the
Kerberos ticket expires. This is because some screen lockers
(e.g., gnome-screensaver) invoke a separate utility (e.g.,
/usr/lib/gnome-screensaver/gnome-screensaver-dialog) in order to
ask the user of a locked screen for their password. Such a tool needs
to access $XAUTHORITY right before it can display the password prompt,
which will fail if the user's Kerberos ticket has expired (e.g. because
a machine was suspended for 24 hours and therefore the ticket was not
refreshed automatically on time). Without the ability to ask for
a password, the screensaver then cannot call pam_krb5 to renew
the user's Kerberos ticket, and the user remains locked out
in a deadlock situation. :-(

Both b) and c) are regular reasons for support requests in
educational/corporate Linux environments with $HOME on Kerberized NFS.

The solution is simple. Instead of $HOME/.Xauthority, just use in
future $XDG_RUNTIME_DIR/xauthority as the location of the X authority file.
(In case $XDG_RUNTIME_DIR/ does not exist, /tmp/xauthority-$USER might
be a suitable fallback option.)

According to https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
the $XDG_RUNTIME_DIR has all the right properties for holding the
X authority file: it is always located in a local tmpfs file system,
guaranteed to be accessible only to the current user, and will be wiped
when the user has closed all sessions.

E.g. on recent Linux systems, pam_systemd usually creates
XDG_RUNTIME_DIR=/run/user/$UID, and wipes it in the end.

(Note that according to https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
you should set the "sticky bit" on any files created in $XDG_RUNTIME_DIR
whose timestamp is not updated regularly.)

Feature request: please provide an option for any X display manager to
do the equivalent of

   export XAUTHORITY=$XDG_RUNTIME_DIR/xauthority
   chmod +t $XAUTHORITY

and encourage OS distribution maintainers to set this option by default,
such that ~/.Xauthority is no longer used.


See also:

Markus Kuhn, Computer Laboratory, University of Cambridge
http://www.cl.cam.ac.uk/~mgk25/ || CB3 0FD, Great Britain

More information about the xorg mailing list