How exactly is the Xorg MIT-COOKIE being sent by the application to the server - does Xlib do that?

Alan Coopersmith alan.coopersmith at
Wed Oct 31 05:30:35 UTC 2018

On 10/30/18 08:30 PM, Veek M wrote:
> You can setup Xorg to listen only on a UNIX DOMAIN socket:
> *Xorg -nolisten tcp -nolisten inet -nolisten inet6 -listen unix
> -nolisten local  :0 -seat seat0 vt7 -novtswitch&*
> The Xorg process must receive a COOKIE on this /tmp/X11/X0 and
> @/tmp/X11/X0 device, that matches its cookie - it then creates an
> internal CONTEXT that is associated with the cookie-senders IP:PORT IF
> this were a socket (TCP etc) since we've disabled TCP, the pipe is
> used but how does Xorg validate connections on that one pipe? Does it
> use/generate a different token (similar to what FTP does - one port to
> negotiate and another for xfer) or is the cookie passed in for every
> API call the Xlib/Client makes AFTER XOpenWIndow()?

Just like a TCP socket, every time an application connects to a
Unix domain socket or named pipe, it causes a new file descriptor
to be created in the X server.  In the connection setup on that
file descriptor the client would send the cookie if required, and
the X server then marks that file descriptor as authenticated.

	-Alan Coopersmith-               alan.coopersmith at
	 Oracle Solaris Engineering -

More information about the xorg mailing list