Re: running X on localhost with different user
On Wed, Mar 14, 2001 at 09:56:49AM +0900, Joongul Lee wrote:
> I was told that it is more secure to have
> export XAUTHORITY=$HOME/.Xauthority
> executed in one of the initialization scripts (I have it in ~/.bashrc)
Yes, because that stops other users on the same machine from getting in.
If you explicitly want any user on the local machine to be able to access
your X server, then xhost is the way to go.
To use X authority to allow only a specific other user, you run
xauth list while logged in as the user that started the server. Cut and
paste the MIT-magic-cookie into a shell that's logged in as the other user. run
xauth add displayname protocolname hexkey
(the displayname will be :0.0 for the local machine, protocol will be
mit-magic-cookie, and hexkey is the random code.)
see xauth(1). The example it lists is:
xauth extract - $DISPLAY | rsh otherhost xauth merge -
Also see X(7), and the section on ACCESS CONTROL.
Magic cookies can be eaten by people sniffing your network. (as far as I
can tell, they are sent in plaintext).
#define X(x,y) x##y
Peter Cordes ; e-mail: X(email@example.com. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE