Limit which local users may connect to X11 display

Question

I have an X.org server running on my machine (Gentoo Linux without PAM, PolicyKit etc), incoming TCP connections are disabled with -nolisten tcp.

Is it possible to establish a whitelist specifying which local users are allowed to open windows on that X11 display?

Edit: I start my X server with this systemd unit:

[Unit]
Description=X Window System
Requires=systemd-user-sessions.service
After=systemd-user-sessions.service

[Service]
ExecStart=/usr/bin/xinit ${HOME}/.xinitrc -- -nolisten tcp vt09
User=myuser
Environment=SHELL=/bin/bash

[Install]
Alias=display-manager.service

Edit 2: I've modified it to this ...

ExecStart=/usr/bin/xinit ${HOME}/.xinitrc -- -auth ${HOME}/.Xauthority -nolisten tcp vt09

... created ${HOME}/.Xauthority ...

mcookie | sed -e 's/^/add :0 . /' | xauth -q

... and restarted the X server. Voila, authorisation is now default-deny. To give specific users access, I've copied .Xauthority to their home directory.

xhost commands weren't used.

score 2 · Answer 1 · answered Oct 28 '13 at 14:56

With Xorg – yes, by using a special kind of "server-interpreted" addresses:

xhost +SI:localuser:root
xhost +SI:localuser:jim

Alternatively, you could give every user a copy of the Xauthority file that you used for Xorg -auth ….

However, X11 was not designed for multiple users accessing the same display, and every client basically has full access, so you're introducing a huge security hole by doing this – any user could monitor the entire screen, run a keylogger, grant anyone else access, or revoke access for existing users.

score 1 · Answer 2 · answered Oct 08 '20 at 13:37

1

You can also disable xhost security with:

xhost +

answered Oct 08 '20 at 13:37

thedude

111

Limit which local users may connect to X11 display

2 Answers2