X11 and ezjails

Ernie Luzar luzar722 at gmail.com
Sat Apr 1 16:24:20 UTC 2017

Christoph Brinkhaus wrote:
> On Fri, Mar 31, 2017 at 01:39:29PM -0400, James B. Byrne via freebsd-questions wrote:
> Dear James,
>> FreeBSD-11.0
>> I would like to run gvim in an X11 window over ssh to a jailed
>> instance created with ezjail.  I have set sshd_config in the jail to
>> allow X11Forwarding and I am connecting with 'ssh -Y jail.domain.tld'
>> However, when I log into the jail and run gvim then I see this:
>> # gvim
>> X11 connection rejected because of wrong authentication.
>> E233: cannot open display
>> Press ENTER or type command to continue
>> E852: The child process failed to start the GUI
>> X11 connection rejected because of wrong authentication.
>> I have run into this before and have attempted to apply all of the
>> previous remedies but nothing seems to work.  Is there anything about
>> jails themselves that would prevent X11 forwarding?
>> Has anyone accomplished what I am trying to do?  If so then how was it
>> done?
> Please have a look at
> https://forums.freebsd.org/threads/53362/
> It works with ezjail as well.

The bare fact is you can not run an x11 gui in a jail. The x11 gui needs 
access to the kernel which is blocked by jail(8) as a security violation.

iocage uses a un-official patch to allow x11 gui desktop to run in a 
jail, but doing so robs the jail of all its built in security. So why 
would any one do that?

This is not an ezjail problem, but an mis-understanding of how jail(8) 
and x11 gui works.

More information about the freebsd-questions mailing list