15

Please help me understand this line of command:

xhost +SI:localuser:lightdm

in reference to the answer in this post and also suggest if there's a better way and why that's needed. I couldn't make much from the man page, so I expect some more detailed answer to make it simple. (Should I replace localuser with my username, and is it something like adding to the group? I get that + is for adding but don't understand SI or si !)

Please also mention how is the user added to the "list allowed to make connections" and what that means. Also, how I check the current list?

Community
  • 1
rusty
  • 1,881

1 Answers1

21

xhost +SI:localuser:lightdm allows the lightdm user to access the running X server. The current X server is indicated by the DISPLAY environment variable.

The manpage has reasonably good explanations:

   [+]name The given name (the plus sign is optional) is added to the list
           allowed to connect to the X server.  The name  can  be  a  host
           name or a complete name (See NAMES for more details).
...
NAMES
   A complete name has the syntax ``family:name'' where the  families  are
   as follows:
...
   si        Server Interpreted
...
   the server interpreted address "si:localuser:username" can be  used  to
   specify a single local user. (See the Xsecurity(7) manual page for more
   details.)

And the Xsecurity manpage says:

SERVER INTERPRETED ACCESS TYPES
   The  sample  implementation   includes   several   Server   Interpreted
   mechanisms:
       IPv6                          IPv6 literal addresses
       hostname                      Network host name
       localuser                     Local connection user id
       localgroup                    Local connection group id

With a bit of context: There are two commonly used ways to allow access to an X server. One is via an Xauthority file, which is shared by the clients, and needs no further server-side configuration. The other is via the xhost list, where configuration is done on the server at runtime (so this is not a permanent change).

So, localuser is a keyword to be retained as is (lightdm is the username here, the one that LightDM runs as). This is somewhat like adding to a group, in that the groups are in the server's understanding of authorization. However, no system groups or users are affected. Only the X server's runtime configuration is changed.

The default behaviour of xhost when run without arguments is to print the list, as the manpage says:

nothing If no command line arguments are given,  a  message  indicating
        whether  or not access control is currently enabled is printed,
        followed by the list of those allowed to connect.

For example:

$ xhost
access control enabled, only authorized clients can connect
SI:localuser:muru

We'll probably need to examine code to determine how a user is added to the list, and how X uses that list.

The reason this is done is to use gsettings, which uses dbus, which in turn usually needs an X server running. However, this is not necessary, and you could see this AskUbuntu answer.

Community
  • 1
muru
  • 72,889
  • This is a really good answer; I'm interested in how to persist the host +xxx or host -zzz settings too. – will Mar 19 '19 at 06:01
  • 1
    When I run xhost without arguments it hangs, it is a normal behavior? @muru – alper Jul 16 '20 at 11:01
  • 1
    @will I didn't try personally, but editing ~/.xprofile with the adequate xhost commands would likely give you persistence. – NovHak Jan 29 '21 at 02:31
  • @muru Concerning how the X server enforces SI:localuser:<user> directives, the only reasonable way I see is to check what process is requesting access through its UNIX socket, and checking if the process' UID (RUID or EUID, I don't know) corresponds to the authorised user. That sort of information is usually available on non security-hardened systems. Check ss, the socket statistics tool. One common path name for X server UNIX sockets on display zero is /tmp/.X11-unix/X0. – NovHak Jan 29 '21 at 02:43