News, tips, partners, and perspectives for the Oracle Solaris operating system

X11 Forwarding 102

Alan Coopersmith
Senior Principal Software Engineer

Chris Gerhard wrote a post last week he called “X11 Forwarding 101” on using xauth to grant permissions to your X display when you su to root. I was all ready to write a response about how the complex steps he'd shown could be replaced by a simple, yet secure, command in Solaris 10 [1]:

xhost +si:localuser:root

but before I could, I got a mail from Casper asking why that feature wasn't working the same in Xsun as in Xorg. A few more e-mails exchanged and he had narrowed it down to it working with Xorg with all connection types, and Xsun with local TCP connections (“localhost:0”), but not with Xsun using Unix domain sockets (“unix:0”) or named pipes (“:0”)[2].

It turns out there was a bug in local connection type handling that I'd fixed when porting the localuser code from Xsun to Xorg for Xorg 6.8.0, but forgot to backport to Xsun. It was processing the list of hosts first, then exiting before checking the ServerInterpreted types so never saw the localuser type as allowable. I've filed this in Sun's bug database as 6380709 and am putting a fix into Nevada build 34.

Until that fix is out, I guess you'll have to stick with Chris' instructions for Xsun, unless you want to use the slower TCP transport for local connections, but if you are using Xorg on Solaris 10 or Nevada, you can try “xhost +si:localuser:username” when you want to grant another user on the same machine (in the same zone if on a multi-zone machine in Solaris 10) access to your display.

[1] Actually any OS with both Xorg 6.8.0 or later and support for a secure method of determining the identity of the user on the other end of a local connection, such as Solaris 10's getpeerucred or a similar interface such as getpeereid or SO_PEERCRED.

[2] At the level authentication is done, the shared memory transport in Solaris is treated as a named pipe connection, since that it how the connection is established.

Join the discussion

Comments ( 1 )
  • Chris Gerhard Monday, February 6, 2006

    Cool. How does it solve the problem for connections over ssh? How can I securely grant access to root on a remote host and have all the traffic go over the ssh tunnel?

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.