How X-Windows Access Control Works
The X-Windows System Version 11 has two primary means of controlling access, xhost and xauth.Â An understanding of how these methods work and the related terminology will help you to secure your display and keep it secure.
X-Windows Server: The X-Windows Server runs on the computer that has the monitor on which a graphical user interface will be displayed.Â The X-Windows server is usually incorporated into Unix and Linux desktop installations, but may be added to Microsoft Windows PCs using programs such as Xwin32 or Exceed.
X-Windows Client: The computer system that is running code that wants to display a graphical user interface.Â In some cases the client and server may be the same system, but if you’re X-Windows server is running on a Microsoft Windows system, the client is generally the Unix or Linux server you are connecting to and running MatLab or Xterm(inal) or similar programs on.
xhost: The xhost program on Unix and Linux sets global policy for the X-server.Â If you are using the console of a Unix or Linux desktop system (where you are seated in front of a monitor directly connected to the Unix system), and you run the command “xhost +” you will allow anyone, anywhere to display things to your X-Windows server.Â You should never use “xhost +“; You never want to trust the entire planet.Â A variant that was frequently employed in the early 1990s was to run “xhost +acs” which will allow any user on the system “acs” to display to your X-Windows server.Â While this is superior to just “xhost +”, you are still trusting a lot of people you don’t know with the security of your desktop.
xauth: The xauth program on Unix and Linx allows you to import and export a short key (a string of numbers and letters) called a magic cookie that you can share between clients and servers to enable communication.Â The server generates the key and it is transferred to the client.Â When the client is ready to display something, it presents the key to the server and the server accepts the connection.
Using xhost and xauth
The best security in the Unix and Linux world is obtained by using xauth and magic cookies.Â It is relatively straight forward to do so, and allows me to specify that “anyone who has this key may display on my server and anyone who does not have this key may not.”Â As long as you are careful about how you distribute your key, this gives you a great deal of control with a minimum amount of effort.Â If you use SSH, the SSH client can even manage the keys for you so you don’t even need to know about them.
In Microsoft Windows the situation is slightly more complicated because Microsoft Windows doesn’t use a command line the way Unix and Linux servers do and don’t contain a native X-Windows server.Â When you install an X-Windows Server like X-Win32, that server will provide a representation of the xauth and xhost mechanism for access control.Â For this environment we suggest you read our information on how to Secure Your X-Windows Server.