1XSECURITY(7) Miscellaneous Information Manual XSECURITY(7)
2
6 Xsecurity - X display access control
7
9 X provides mechanism for implementing many access control systems. The
10 sample implementation includes five mechanisms:
11 Host Access Simple host-based access control.
12 MIT-MAGIC-COOKIE-1 Shared plain-text "cookies".
13 XDM-AUTHORIZATION-1 Secure DES based private-keys.
14 SUN-DES-1 Based on Sun's secure rpc system.
15 Server Interpreted Server-dependent methods of access control
16 Not all of these are available in all builds or implementations.
17
19 Host Access
20 Any client on a host in the host access control list is allowed
21 access to the X server. This system can work reasonably well in
22 an environment where everyone trusts everyone, or when only a
23 single person can log in to a given machine, and is easy to use
24 when the list of hosts used is small. This system does not work
25 well when multiple people can log in to a single machine and
26 mutual trust does not exist. The list of allowed hosts is
27 stored in the X server and can be changed with the xhost com‐
28 mand. The list is stored in the server by network address, not
29 host names, so is not automatically updated if a host changes
30 address while the server is running. When using the more secure
31 mechanisms listed below, the host list is normally configured to
32 be the empty list, so that only authorized programs can connect
33 to the display. See the GRANTING ACCESS section of the Xserver
34 man page for details on how this list is initialized at server
35 startup.
36 MIT-MAGIC-COOKIE-1
38 When using MIT-MAGIC-COOKIE-1, the client sends a 128 bit
39 "cookie" along with the connection setup information. If the
40 cookie presented by the client matches one that the X server
41 has, the connection is allowed access. The cookie is chosen so
42 that it is hard to guess; xdm generates such cookies automati‐
43 cally when this form of access control is used. The user's copy
44 of the cookie is usually stored in the .Xauthority file in the
45 home directory, although the environment variable XAUTHORITY can
46 be used to specify an alternate location. Xdm automatically
47 passes a cookie to the server for each new login session, and
48 stores the cookie in the user file at login.
49 The cookie is transmitted on the network without encryption, so
51 there is nothing to prevent a network snooper from obtaining the
52 data and using it to gain access to the X server. This system
53 is useful in an environment where many users are running appli‐
54 cations on the same machine and want to avoid interference from
55 each other, with the caveat that this control is only as good as
56 the access control to the physical network. In environments
57 where network-level snooping is difficult, this system can work
58 reasonably well.
59