X11 Forwarding 102
By alanc on Feb 05, 2006
Chris Gerhard wrote a post last week he called “X11 Forwarding 101” on using xauth to grant permissions to your X display when you su to root. I was all ready to write a response about how the complex steps he'd shown could be replaced by a simple, yet secure, command in Solaris 10 :
xhost +si:localuser:rootbut before I could, I got a mail from Casper asking why that feature wasn't working the same in Xsun as in Xorg. A few more e-mails exchanged and he had narrowed it down to it working with Xorg with all connection types, and Xsun with local TCP connections (“localhost:0”), but not with Xsun using Unix domain sockets (“unix:0”) or named pipes (“:0”).
It turns out there was a bug in local connection type handling that I'd fixed when porting the localuser code from Xsun to Xorg for Xorg 6.8.0, but forgot to backport to Xsun. It was processing the list of hosts first, then exiting before checking the ServerInterpreted types so never saw the localuser type as allowable. I've filed this in Sun's bug database as 6380709 and am putting a fix into Nevada build 34.
Until that fix is out, I guess you'll have to stick with Chris' instructions for Xsun, unless you want to use the slower TCP transport for local connections, but if you are using Xorg on Solaris 10 or Nevada, you can try “xhost +si:localuser:username” when you want to grant another user on the same machine (in the same zone if on a multi-zone machine in Solaris 10) access to your display.
 Actually any OS with both Xorg 6.8.0 or later and support for a secure method of determining the identity of the user on the other end of a local connection, such as Solaris 10's getpeerucred or a similar interface such as getpeereid or SO_PEERCRED.
 At the level authentication is done, the shared memory transport in Solaris is treated as a named pipe connection, since that it how the connection is established.