[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: running X on localhost with different user

On Wed, Mar 14, 2001 at 09:56:49AM +0900, Joongul Lee wrote:
> I was told that it is more secure to have 
> export XAUTHORITY=$HOME/.Xauthority
> executed in one of the initialization scripts (I have it in ~/.bashrc)

 Yes, because that stops other users on the same machine from getting in.
If you explicitly want any user on the local machine to be able to access
your X server, then xhost is the way to go.

 To use X authority to allow only a specific other user, you run
xauth list   while logged in as the user that started the server.  Cut and
paste the MIT-magic-cookie into a shell that's logged in as the other user. run
xauth add displayname protocolname hexkey
(the displayname will be :0.0 for the local machine, protocol will be
mit-magic-cookie, and hexkey is the random code.)

see xauth(1).  The example it lists is:
xauth extract - $DISPLAY | rsh otherhost xauth merge -

 Also see X(7), and the section on ACCESS CONTROL.
 Magic cookies can be eaten by people sniffing your network.  (as far as I
can tell, they are sent in plaintext).

#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

Reply to: