Limit which local users may connect to X11 display
Solution 1
With Xorg – yes, by using a special kind of "server-interpreted" addresses:
xhost +SI:localuser:root
xhost +SI:localuser:jim
Alternatively, you could give every user a copy of the Xauthority file that you used for Xorg -auth ….
However, X11 was not designed for multiple users accessing the same display, and every client basically has full access, so you're introducing a huge security hole by doing this – any user could monitor the entire screen, run a keylogger, grant anyone else access, or revoke access for existing users.
Solution 2
You can also disable xhost security with:
xhost +
Related videos on Youtube
01 : 54
14 : 51
05 : 46
03 : 37
02 : 18
user267565
Updated on September 18, 2022Comments
-
user267565 almost 2 years
I have an X.org server running on my machine (Gentoo Linux without PAM, PolicyKit etc), incoming TCP connections are disabled with -nolisten tcp.
Is it possible to establish a whitelist specifying which local users are allowed to open windows on that X11 display?
Edit: I start my X server with this systemd unit:
[Unit] Description=X Window System Requires=systemd-user-sessions.service After=systemd-user-sessions.service [Service] ExecStart=/usr/bin/xinit ${HOME}/.xinitrc -- -nolisten tcp vt09 User=myuser Environment=SHELL=/bin/bash [Install] Alias=display-manager.serviceEdit 2: I've modified it to this ...
ExecStart=/usr/bin/xinit ${HOME}/.xinitrc -- -auth ${HOME}/.Xauthority -nolisten tcp vt09... created ${HOME}/.Xauthority ...
mcookie | sed -e 's/^/add :0 . /' | xauth -q... and restarted the X server. Voila, authorisation is now default-deny. To give specific users access, I've copied .Xauthority to their home directory.
xhost commands weren't used.
-
phil294 about 6 yearsI think it is notable that the default-allow scenario can also occur when the .Xauthority file is empty. / a --auth option didnt create it for me either, had to do it manually. superuser.com/questions/806637/…
-
-
user267565 over 10 yearsI've tried your suggestion, but I seem to have a default-allow permission model set up, so it doesn't limit other users. I've added some information about how the X server is started.
-
user267565 over 10 yearsFor context: An X11 sandbox is just what I'm building. The classic approach uses Xephyr, I'm using xpra and it works, but what's the point if the sandboxed user can just connect to the real X11 server anyway?
-
user1686 over 10 years@user267565: The sandboxed user can connect to the real X11 server only if you allow it – either by adding it to
xhost, or by giving it a copy of the Xauth data. -
user267565 over 10 yearsFor others who had the same problem: Unless the X server is started with the -auth parameter, that parameter points to an existing and readable file, and that file is nonempty and contains valid data, the server will be default-allow.
