xhost +localhost

Gert Cuykens gert.cuykens at gmail.com
Sat Feb 5 16:33:44 PST 2005

On Fri, 4 Feb 2005 22:47:04 -0800, Loren M. Lang <lorenl at alzatex.com> wrote:
> On Fri, Feb 04, 2005 at 12:21:34AM +0100, Gert Cuykens wrote:
> > On Thu, 3 Feb 2005 14:58:35 -0800, Loren M. Lang <lorenl at alzatex.com> wrote:
> > > This enable all programs to have access that are using unix domain
> > > sockets to not need the MIT-MAGIC-COOKIE stored in the .Xauthority file
> > > in the users home directory so any user can open a program on that
> > > display.  xhost +localhost adds all programs from localhost using tcp
> > > connections instead.  DISPLAY=:0 causes a program to use fast unix
> > > domain sockets where DISPLAY=localhost:0 causes a program to use slow
> > > tcp sockets instead.  tcp sockets are really only needed for remote
> > > connections and xhost +localhost won't allow any local programs to
> > > access X unless they use tcp, not unix.  See my first response for more
> > > information.
> >
> > ok time out :)
> > 1)does xhost set the DISPLAY variable ?
> No, in fact, xhost needs the DISPLAY variable already set so that it
> knows which display to try and connect to to change access control.
> xhost needs some way to authenticate itself to the X server so X can
> trust that it's a legit user trying to change the access control.  If
> you open up X to all local users by using something like xhost
> +localhost or xhost local: then any local user could take over your
> display and use xhost to disable your access to it.
> > 2)does xhost local: also uses the tcp thingie or use it the x socket thingie ?
> local: allows anyone to access the X server through unix domain sockets.
> +localhost allows all local programs to access X though tcp sockets.
> Normally tcp sockets are only used for remote connections since they are
> slower than unix sockets, but unix sockets only work on the same
> machine.
> > 3)what must i put in the .Xauthority file to make the screensaver work
> > with having to use xhost ?
> When X first logs in to a user, it creates the .Xauthority file in that
> users home directory and fills it with a random string called a
> MIT-MAGIC-COOKIE.  Any X client, by default, reads that file to see what
> the cookie is then sends it to the X server to authenticate itself.
> Anyone who can read that file can access the display so that file is
> normally only readable by the user who logged in, though root can always
> read it because root is god.  When you run an X program as a different
> user, it will look in that users home directory for the .Xauthority
> file and so won't be able to find the right cookie unless you used the
> xauth command to give that user the cookie ahead of time.  By setting
> the XAUTHORITY environment variable to some other file, it will check that
> file for the magic cookie instead of the current users home directory.
> This is useful when running a command as root that you want to access a
> normal users X server.  This is a much more secure way to allow access
> to X than using xhost since you know what users are able to access X,
> not just which computers, which may have multiple users on them.
> In summary, don't touch xhost, just use:
> XAUTHORITY=/home/user/.Xauthority xscreensaver
> or you can use xauth to extract the magic cookie and then import it into
> the correct users .Xauthority file.  As the user of the X server:
> xauth extract my-cookie-file $DISPLAY
> Saves the magic cookie to a file called my-cookie-file for the current
> display.  Then as the user who want to access the X display:
> xauth merge my-cookie-file
> Adds the cookie stored in my-cookie file to the current users
> .Xauthority file.  Now user B can open an X application on A's X server.
> Oh, and don't run xscreensaver as root EVER!  Instead, if you're really
> paranoid about security, make a user who can access any of your files
> whose sole purpose is to run xscreensaver then use that user to run it.
> This is still not that much more secure since any user that can access
> an X server can essentially take it over and control your mouse and
> keyboard doing what ever they want, like openning an xterm on your
> display and running the passwd command to change your passwd.  Now they
> just gained access to all your files as well.

Thx this clears alot of questions :)
One more question doh, about the x cookie.

How long does it take to calculate the x cookie string yourself of a
user you want to hack :)

More information about the freebsd-questions mailing list