4

I have an X.org server running on my machine (Gentoo Linux without PAM, PolicyKit etc), incoming TCP connections are disabled with -nolisten tcp.

Is it possible to establish a whitelist specifying which local users are allowed to open windows on that X11 display?

Edit: I start my X server with this systemd unit:

[Unit]
Description=X Window System
Requires=systemd-user-sessions.service
After=systemd-user-sessions.service

[Service]
ExecStart=/usr/bin/xinit ${HOME}/.xinitrc -- -nolisten tcp vt09
User=myuser
Environment=SHELL=/bin/bash

[Install]
Alias=display-manager.service

Edit 2: I've modified it to this ...

ExecStart=/usr/bin/xinit ${HOME}/.xinitrc -- -auth ${HOME}/.Xauthority -nolisten tcp vt09

... created ${HOME}/.Xauthority ...

mcookie | sed -e 's/^/add :0 . /' | xauth -q

... and restarted the X server. Voila, authorisation is now default-deny. To give specific users access, I've copied .Xauthority to their home directory.

xhost commands weren't used.

user267565
  • 41
  • 1
  • 4
  • I think it is notable that the default-allow scenario can also occur when the .Xauthority file is empty. / a --auth option didnt create it for me either, had to do it manually. https://superuser.com/questions/806637/xauth-not-creating-xauthority-file?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa – phil294 May 13 '18 at 21:24

2 Answers2

2

With Xorg – yes, by using a special kind of "server-interpreted" addresses:

xhost +SI:localuser:root
xhost +SI:localuser:jim

Alternatively, you could give every user a copy of the Xauthority file that you used for Xorg -auth ….

However, X11 was not designed for multiple users accessing the same display, and every client basically has full access, so you're introducing a huge security hole by doing this – any user could monitor the entire screen, run a keylogger, grant anyone else access, or revoke access for existing users.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • 1
    I've tried your suggestion, but I seem to have a default-allow permission model set up, so it doesn't limit other users. I've added some information about how the X server is started. – user267565 Oct 28 '13 at 16:09
  • For context: An X11 sandbox is just what I'm building. The classic approach uses Xephyr, I'm using xpra and it works, but what's the point if the sandboxed user can just connect to the real X11 server anyway? – user267565 Oct 28 '13 at 16:47
  • @user267565: The sandboxed user can connect to the real X11 server **only if you allow it** – either by adding it to `xhost`, or by giving it a copy of the Xauth data. – u1686_grawity Oct 28 '13 at 18:25
  • 4
    For others who had the same problem: *Unless* the X server is started with the -auth parameter, that parameter points to an existing and readable file, and that file is nonempty and contains valid data, the server will be default-allow. – user267565 Oct 29 '13 at 14:47
1

You can also disable xhost security with:

xhost +
thedude
  • 111
  • 2