xauth clarifications
Michal Srb
msrb at suse.com
Thu Feb 22 16:16:51 UTC 2018
On středa 21. února 2018 12:45:27 CET Sylvain Leroux wrote:
> 1) When is the "$XAUTHORITY" file (re-)read by the server?
> ================================================
> According to the Xauth man:
> """
> Note that this program [xauth] does not contact the X server except
> when the generate command is used.
> """
>
> But it _seems_ to me when I update the cookie with "xauth add ..."
> from Xephyr, the X server takes that change into account immediately.
>
> Does that mean the ".Xauthority" file of the session owner is checked
> each time a new client is trying to connect to the server?
Yes, it checks the modification time and if it is different, it is reloaded:
https://cgit.freedesktop.org/xorg/xserver/tree/os/auth.c#n160
> 2) When is the system authorization cookie generated?
> ================================================
> On my system, Xorg (Debian Linux w/lightdm) is started with the option
> "-auth /var/run/lightdm/root/:0"
> ":0" is an xauth file.
>
> If I understand it correctly, this is the authorization file the
> client $AUTHORIZATION credentials are checked against.
>
> But how that ":0" file is initially populated? On my system, the
> cookie seems to change each time I restart the X server. But somehow
> the new cookie _seems_ to be propagated to the logged in user
> $XAUTHORIZATION file.
>
> Is there a way to ensure a cookie will remain valid across Xorg restarts?
Whoever is starting the X server is in charge of generating the file for the
cookies. In usual usage it is the display manager, in your case lightdm.
Some display managers use the ~/.Xauthority file. If it already exist and
contain some entries, they must not remove them because they may belong to
some other session of the same user (could be even on different machine in
case of network home).
But many display managers today create fresh file somewhere under /var/run, so
no cookie will persist between logins.
So if you want to use the same cookie across restarts (may not be best for
security), you need to either start X yourself or adapt the display manager,
or add extra cookie after the session was started.
> 3) Are Xorg and Xephyr handling xauth the same way?
> ================================================
> I'm using both a genuine Xorg server and Xephyr.
>
> Are both of them consistent in their way to handle xauth authorizations?
I think yes.
Michal
More information about the xorg
mailing list