411:
110:
in the user's home directory, by default. As a result, every program run by the client on the local computer can access this file and therefore the cookie that is necessary for being authorized by the server. If the user wants to run a program from another computer on the network, the cookie has to
76:
The host-based access method consists in specifying a set of hosts that are authorized to connect to the X display server. This system has inferior security, as it allows every user who has access to such a host to connect to the display. The
258:
environment variable to point to a local TCP socket opened there by sshd, which then tunnels the X11 communication back to ssh. Sshd then also calls xauth to add at the remote site an MIT-MAGIC-COOKIE-1 string into
196:
The user-based access methods work by authorizing specific users to connect to the server. When a client establishes a connection to a server, it has to prove being controlled by an authorized user.
103:(an arbitrary piece of data) and passing it to the X display server when it is started; every client that can prove having knowledge of this cookie is then authorized connecting to the server.
138:
file. The client creates a string by concatenating the current time, a transport-dependent identifier, and the cookie, encrypts the resulting string, and sends it to the server.
1000:
50:
There are five standard access control mechanisms that control whether a client application can connect to an X display server. They can be grouped in three categories:
939:
208:
365:
181:
222:
A third method is limited to local connections, using system calls to ask the kernel what user is on the other end of a local socket. The
400:
348:
685:
644:
266:
X11 connections between client and server over a network can also be protected using other secure-channel protocols, such as
185:
944:
374:
84:
295:
465:
254:) tunnels X11 traffic from remotely invoked clients to the local server. It does so by setting at the remote site the
87:
requests are used to activate this mechanism and to display and change the list of authorized hosts. Improper use of
696:
664:
130:. In the first method, the client simply sends the cookie when requested to authenticate. In the second method, a
797:
47:, a method for forbidding access to programs run by users different from the one who is logged in is necessary.
1021:
875:
822:
729:
275:
739:
867:
669:
649:
634:
455:
440:
341:
111:
be copied to that other computer. How the cookie is copied is a system-dependent issue: for example, on
949:
890:
802:
772:
612:
430:
320:
885:
639:
490:
267:
216:
485:
380:
65:
719:
626:
622:
460:
425:
199:
The two methods based on authenticating users using networked identity management systems are
679:
334:
161:
44:
40:
32:
954:
480:
445:
390:
357:
28:
263:
there, which then authorizes X11 clients there to access the ssh user's local X server.
516:
395:
36:
91:
can inadvertently give every host on the
Internet full access to an X display server.
1015:
852:
525:
243:
100:
980:
116:
131:
895:
847:
752:
176:
file, the location of which can be overridden with the environment variable
112:
762:
714:
586:
531:
495:
157:
910:
812:
777:
654:
581:
551:
546:
536:
450:
106:
These cookies are created by a separate program and stored in the file
296:"Server-interpreted Authentication Types "localuser" and "localgroup""
153:
can be defined to override the name and location of that cookie file.
975:
915:
905:
704:
576:
271:
215:. The second mechanism is based on both client and server trusting a
17:
995:
990:
985:
970:
832:
792:
757:
556:
470:
435:
326:
212:
900:
842:
817:
807:
787:
782:
767:
747:
724:
709:
659:
602:
566:
561:
541:
330:
278:, although such options are now far more rarely used than SSH.
99:
The cookie-based authorization methods are based on choosing a
880:
857:
837:
827:
607:
571:
475:
410:
164:
for direct communication between X11 clients uses the same
207:. The first system is based on a secure mechanism of the
35:
run as X clients, and as such they connect to the X
963:
932:
866:
738:
695:
678:
621:
595:
515:
504:
418:
364:
64:Additionally, like every other network connection,
43:. Since the network may be accessible to other
188:and the X Session Management protocol (XSMP).
342:
8:
145:application is a utility for accessing the
692:
512:
349:
335:
327:
287:
168:authentication method, but has its own
122:The two systems using this method are
226:program can be used to add or remove
7:
158:Inter-Client Exchange (ICE) Protocol
456:X Display Manager Control Protocol
246:utility (when invoked with option
25:
1001:Desktop environments (comparison)
409:
119:can be used to copy the cookie.
149:file. The environment variable
172:utility for accessing its own
1:
162:Inter-Client Exchange Library
85:X Window System core protocol
466:X-Video Motion Compensation
1038:
234:entries with this method.
407:
209:ONC remote procedure call
184:is used, for example, by
451:Shared memory extension
386:X Window authorization
321:X security manual page
134:is also stored in the
57:access based on cookie
441:X Rendering Extension
613:X Toolkit Intrinsics
431:X keyboard extension
211:system developed in
60:access based on user
54:access based on host
491:Composite Extension
160:implemented by the
128:XDM-AUTHORIZATION-1
95:Cookie-based access
486:Display PostScript
381:X Window selection
298:. X.Org Foundation
166:MIT-MAGIC-COOKIE-1
124:MIT-MAGIC-COOKIE-1
83:program and three
1009:
1008:
928:
927:
924:
923:
689:
461:X video extension
426:X Image Extension
192:User-based access
72:Host-based access
39:, possibly via a
16:(Redirected from
1029:
693:
683:
627:Session managers
623:Display managers
596:Client libraries
513:
413:
351:
344:
337:
328:
308:
307:
305:
303:
292:
262:
257:
253:
249:
233:
229:
225:
206:
202:
179:
175:
167:
152:
148:
137:
129:
125:
109:
90:
81:
41:computer network
21:
1037:
1036:
1032:
1031:
1030:
1028:
1027:
1026:
1022:X Window System
1012:
1011:
1010:
1005:
959:
955:freedesktop.org
920:
862:
734:
682:
680:Window managers
674:
625:
617:
591:
517:Display servers
509:implementations
508:
506:
500:
481:Multi-Pointer X
446:Shape extension
414:
405:
391:X11 color names
360:
358:X Window System
355:
317:
312:
311:
301:
299:
294:
293:
289:
284:
260:
255:
251:
247:
240:
231:
227:
223:
204:
200:
194:
177:
173:
165:
150:
146:
135:
127:
123:
107:
97:
88:
79:
74:
29:X Window System
23:
22:
15:
12:
11:
5:
1035:
1033:
1025:
1024:
1014:
1013:
1007:
1006:
1004:
1003:
998:
993:
988:
983:
978:
973:
967:
965:
961:
960:
958:
957:
952:
947:
942:
936:
934:
930:
929:
926:
925:
922:
921:
919:
918:
913:
908:
903:
898:
893:
888:
883:
878:
872:
870:
864:
863:
861:
860:
855:
850:
845:
840:
835:
830:
825:
820:
815:
810:
805:
800:
795:
790:
785:
780:
775:
770:
765:
760:
755:
750:
744:
742:
736:
735:
733:
732:
727:
722:
717:
712:
707:
701:
699:
690:
676:
675:
673:
672:
667:
662:
657:
652:
647:
642:
637:
631:
629:
619:
618:
616:
615:
610:
605:
599:
597:
593:
592:
590:
589:
584:
579:
574:
569:
564:
559:
554:
549:
544:
539:
534:
529:
521:
519:
510:
502:
501:
499:
498:
493:
488:
483:
478:
473:
468:
463:
458:
453:
448:
443:
438:
433:
428:
422:
420:
416:
415:
408:
406:
404:
403:
398:
396:X Input Method
393:
388:
383:
378:
370:
368:
362:
361:
356:
354:
353:
346:
339:
331:
325:
324:
316:
315:External links
313:
310:
309:
286:
285:
283:
280:
239:
236:
205:MIT-KERBEROS-5
193:
190:
96:
93:
73:
70:
62:
61:
58:
55:
37:display server
24:
14:
13:
10:
9:
6:
4:
3:
2:
1034:
1023:
1020:
1019:
1017:
1002:
999:
997:
994:
992:
989:
987:
984:
982:
979:
977:
974:
972:
969:
968:
966:
962:
956:
953:
951:
948:
946:
943:
941:
938:
937:
935:
931:
917:
914:
912:
909:
907:
904:
902:
899:
897:
894:
892:
889:
887:
884:
882:
879:
877:
874:
873:
871:
869:
865:
859:
856:
854:
851:
849:
846:
844:
841:
839:
836:
834:
831:
829:
826:
824:
821:
819:
816:
814:
811:
809:
806:
804:
801:
799:
796:
794:
791:
789:
786:
784:
781:
779:
776:
774:
771:
769:
766:
764:
761:
759:
756:
754:
751:
749:
746:
745:
743:
741:
737:
731:
730:Enlightenment
728:
726:
723:
721:
718:
716:
713:
711:
708:
706:
703:
702:
700:
698:
694:
691:
687:
681:
677:
671:
668:
666:
663:
661:
658:
656:
653:
651:
648:
646:
643:
641:
638:
636:
633:
632:
630:
628:
624:
620:
614:
611:
609:
606:
604:
601:
600:
598:
594:
588:
585:
583:
580:
578:
575:
573:
570:
568:
565:
563:
560:
558:
555:
553:
550:
548:
545:
543:
540:
538:
535:
533:
530:
528:
527:
523:
522:
520:
518:
514:
511:
503:
497:
494:
492:
489:
487:
484:
482:
479:
477:
474:
472:
469:
467:
464:
462:
459:
457:
454:
452:
449:
447:
444:
442:
439:
437:
434:
432:
429:
427:
424:
423:
421:
417:
412:
402:
399:
397:
394:
392:
389:
387:
384:
382:
379:
377:
376:
375:Core protocol
372:
371:
369:
367:
363:
359:
352:
347:
345:
340:
338:
333:
332:
329:
323:(Xsecurity 7)
322:
319:
318:
314:
297:
291:
288:
281:
279:
277:
273:
269:
264:
245:
237:
235:
220:
218:
214:
210:
197:
191:
189:
187:
183:
174:.ICEauthority
171:
163:
159:
154:
144:
139:
133:
120:
118:
114:
104:
102:
94:
92:
86:
82:
71:
69:
68:can be used.
67:
59:
56:
53:
52:
51:
48:
46:
42:
38:
34:
30:
19:
964:Applications
853:Window Maker
526:X.Org Server
524:
385:
373:
366:Architecture
300:. Retrieved
290:
265:
241:
221:
198:
195:
178:ICEAUTHORITY
169:
155:
142:
140:
121:
105:
101:magic cookie
98:
78:
75:
63:
49:
26:
697:Compositing
507:and notable
261:.Xauthority
147:.Xauthority
136:.Xauthority
115:platforms,
108:.Xauthority
686:comparison
505:Components
419:Extensions
302:16 January
282:References
252:ForwardX11
250:or option
232:localgroup
151:XAUTHORITY
132:secret key
933:Standards
896:ratpoison
848:WindowLab
753:AfterStep
238:Tunneling
228:localuser
201:SUN-DES-1
113:Unix-like
66:tunneling
1016:Category
798:Matchbox
763:Blackbox
740:Stacking
715:Metacity
665:Entrance
587:XWayland
532:Cygwin/X
496:Xinerama
268:Kerberos
219:server.
217:Kerberos
33:programs
911:StumpWM
876:awesome
823:Sawfish
813:Openbox
778:Fluxbox
655:LightDM
582:XQuartz
552:XDarwin
547:XFree86
537:X-Win32
401:Wayland
256:DISPLAY
170:iceauth
27:In the
976:xclock
916:larswm
906:xmonad
868:Tiling
720:Mutter
705:Compiz
577:Xephyr
272:GSSAPI
996:xeyes
991:xterm
986:xload
981:xedit
971:xcalc
940:ICCCM
833:tvtwm
793:IceWM
758:amiwm
557:Xming
471:AIGLX
436:RandR
224:xhost
213:SunOS
143:xauth
89:xhost
80:xhost
45:users
18:Xhost
945:EWMH
901:wmii
843:vtwm
818:Qvwm
808:olwm
788:FVWM
783:FLWM
768:CTWM
748:4Dwm
725:Xfwm
710:KWin
660:LXDM
645:SDDM
603:Xlib
567:Xsun
562:Xsgi
542:X386
304:2015
242:The
230:and
203:and
186:DCOP
156:The
141:The
126:and
950:XDS
891:Ion
881:dwm
858:wm2
838:twm
828:swm
803:mwm
773:cwm
670:WDM
650:XDM
640:KDM
635:GDM
608:XCB
572:Xgl
476:GLX
276:TLS
274:or
244:SSH
182:ICE
117:scp
1018::
886:i3
248:-X
180:.
31:,
688:)
684:(
350:e
343:t
336:v
306:.
270:/
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.