If you don't use the -auth auth-file
option, Xephyr :1
already allows anybody from the same host to connect to it, even without the -ac
option. Try this:
hinz$ Xephyr :1 &
then, as another user
kunz$ xclock -display :1
This also applies to any X server, not just Xephyr
; if you look at your regular Xorg
server, you will see that the -auth
option is passed explicitly:
$ pgrep -ai Xorg
2347 /usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /run/user/1000/gdm/Xauthority -background none -noreset -keeptty -verbose 3
According to the Xserver(1)
manpage (emphasis mine):
The X server also uses a host-based access control list for deciding
whether or not to accept connections from clients on a particular machine. If no other authorization mechanism is being used, this list
initially consists of the host on which the server is running as well
as any machines listed in the file /etc/Xn.hosts
As already mentioned in another answer, some Xorg servers (eg. Xwayland) don't support any authenticating mechanism beyond checking who opened the unix socket via getsockopt(SO_PEERCRED)
-- the "localuser & localgroup server interpreted access type" from Xsecurity(7)
; also, some distros like Debian gapped the regular Xorg server via xhost +si:localuser:$(id -un)
from an xsession script. Since a socket fd can be passed around and a client could be proxied by programs like xscope
, that's a VERY foolish thing to do.
What to do
If you want to prevent other users from connecting to your X server, you have to use some form of authentication.
Create an authorization file, pass it via the -auth
option to the X server, and then let the client use the same when connecting to the server.
# create a MIT-COOKIE authfile
$ xauth -f ~/.xauth-junk add :1 . "$(hexdump -n 16 -e '4/4 "%08x"' /dev/urandom)"
xauth: file /home2/ahq/.xauth-junk does not exist # it will be created
$ Xephyr :1 -auth ~/.xauth-junk &
Then either merge it in your usual $XAUTHORITY
file (~/.Xauthority
if not overridden in the environment)
$ xauth merge - < ~/.xauth-junk
$ xclock -display :1
Or pass it explicitly in the XAUTHORITY
environment variable:
$ XAUTHORITY=~/.xauth-junk xclock -display :1
You can check it the -auth
option really had any effect by trying to connect with a bogus auth file:
$ XAUTHORITY=/dev/null xdpyinfo -display :1 >/dev/null 2>&1 && echo OOPS, anybody can connect!
$
Xephyr :1 -auth ~/.xauth-junk &
, but if there is no .xauth-junk file, it still creates a window to which anyone can connect. – My5555 Mar 05 '20 at 11:12-auth
is loaded or not? If I execute the code:Xephyr :1 -auth ~/.xauth-junk &
but there is no file .xauth-junk, in any case a window will open, and anyone can connect to it. – My5555 Mar 06 '20 at 06:06-auth
– My5555 Mar 06 '20 at 06:17-auth
file. I don't know of any special way to check, but you could try running some client with a bogus authority file and see if it succeeds:XAUTHORITY=/dev/null xdpyinfo -display :1 >/dev/null 2>&1 && echo OOPS, anybody can connect
orXAUTHORITY=/dev/null DISPLAY=:1 xhost >/dev/null 2>&1 && ...
. – Mar 06 '20 at 06:57getsockopt(SO_PEERCRED)
(configured via eg.xhost +si:localuser:username
-- see theXsecurity(7)
manpage (and/etc/X11/Xsession.d/35x11-common_xhost-local
on any Debian machine). That's very bad, and I always disable it onXorg
, but that's not possible on Xwayland, because it's the only auth mechanism that Xwayland supports. – Mar 06 '20 at 07:08Xephyr :1 -resizeable
and using my wm's keybinding to make a window full screen works for me. And the resolution appears correctly inXrandr
. – Mar 07 '20 at 15:26