Xhost
   HOME

TheInfoList



Click Here for Items Related To - Xhost
OR:
Xhost on:   [Wikipedia]   [Google]   [Amazon]

In the
X Window System The X Window System (X11, or simply X) is a windowing system for bitmap displays, common on Unix-like operating systems. X provides the basic framework for a GUI environment: drawing and moving windows on the display device and interacting wit ...
,
program Program, programme, programmer, or programming may refer to: Business and management * Program management, the process of managing several related projects * Time management * Program, a part of planning Arts and entertainment Audio * Progra ...
s run as X clients, and as such they connect to the X
display server In computing, a windowing system (or window system) is software that manages separately different parts of display screens. It is a type of graphical user interface (GUI) which implements the WIMP (windows, icons, menus, pointer) paradigm for ...
, possibly via a
computer network A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...
. Since the network may be accessible to other
user Ancient Egyptian roles * User (ancient Egyptian official), an ancient Egyptian nomarch (governor) of the Eighth Dynasty * Useramen, an ancient Egyptian vizier also called "User" Other uses * User (computing), a person (or software) using an ...
s, a method for forbidding access to programs run by users different from the one who is logged in is necessary. There are five standard access control mechanisms that control whether a client application can connect to an X display server. They can be grouped in three categories: # access based on host # access based on cookie # access based on user Additionally, like every other network connection, tunneling can be used.


Host-based access

The host-based access method consists in specifying a set of hosts that are authorized to connect to the X display server. This system has inferior security, as it allows every user who has access to such a host to connect to the display. The xhost program and three
X Window System core protocol The X Window System core protocolRobert W. Scheifler and James Gettys: ''X Window System: Core and extension protocols, X version 11, releases 6 and 6.1'', Digital Press 1996, RFC 1013Grant EdwardsAn Introduction to X11 User Interfaces/ref> is the ...
requests are used to activate this mechanism and to display and change the list of authorized hosts. Improper use of xhost can inadvertently give every host on the Internet full access to an X display server.


Cookie-based access

The cookie-based authorization methods are based on choosing a
magic cookie In computing, a magic cookie, or just cookie for short, is a token or short packet of data passed between communicating programs. The cookie is often used to identify a particular event or as "handle, transaction ID, or other token of agreement b ...
(an arbitrary piece of data) and passing it to the X display server when it is started; every client that can prove having knowledge of this cookie is then authorized connecting to the server. These cookies are created by a separate program and stored in the file .Xauthority in the user's home directory, by default. As a result, every program run by the client on the local computer can access this file and therefore the cookie that is necessary for being authorized by the server. If the user wants to run a program from another computer on the network, the cookie has to be copied to that other computer. How the cookie is copied is a system-dependent issue: for example, on
Unix-like A Unix-like (sometimes referred to as UN*X or *nix) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Unix-li ...
platforms,
scp SCP may refer to: Organizations Political parties * Soviet Communist Party, the leading political party in the former Soviet Union * Syrian Communist Party * Sudanese Communist Party * Scottish Christian Party Companies * Seattle Computer Produ ...
can be used to copy the cookie. The two systems using this method are MIT-MAGIC-COOKIE-1 and XDM-AUTHORIZATION-1. In the first method, the client simply sends the cookie when requested to authenticate. In the second method, a
secret key A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key c ...
is also stored in the .Xauthority file. The client creates a string by concatenating the current time, a transport-dependent identifier, and the cookie, encrypts the resulting string, and sends it to the server. The xauth application is a utility for accessing the .Xauthority file. The environment variable XAUTHORITY can be defined to override the name and location of that cookie file. Th
Inter-Client Exchange (ICE) Protocol
implemented by th

for direct communication between X11 clients uses the same MIT-MAGIC-COOKIE-1 authentication method, but has its own iceauth utility for accessing its own .ICEauthority file, the location of which can be overridden with the environment variable ICEAUTHORITY.
ICE Ice is water frozen into a solid state, typically forming at or below temperatures of 0 degrees Celsius or Depending on the presence of impurities such as particles of soil or bubbles of air, it can appear transparent or a more or less opaq ...
is used, for example, by DCOP and the X Session Management protocol (XSMP).


User-based access

The user-based access methods work by authorizing specific users to connect to the server. When a client establishes a connection to a server, it has to prove being controlled by an authorized user. The two methods based on authenticating users using networked identity management systems are SUN-DES-1 and MIT-KERBEROS-5. The first system is based on a secure mechanism of the ONC remote procedure call system developed in
SunOS SunOS is a Unix-branded operating system developed by Sun Microsystems for their workstation and server computer systems. The ''SunOS'' name is usually only used to refer to versions 1.0 to 4.1.4, which were based on BSD, while versions 5.0 and l ...
. The second mechanism is based on both client and server trusting a Kerberos server. A third method is limited to local connections, using system calls to ask the kernel what user is on the other end of a local socket. The xhost program can be used to add or remove localuser and localgroup entries with this method.


Tunneling

The
SSH The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH applications are based on ...
utility (when invoked with option -X or option ForwardX11) tunnels X11 traffic from remotely invoked clients to the local server. It does so by setting at the remote site the DISPLAY environment variable to point to a local TCP socket opened there by sshd, which then tunnels the X11 communication back to ssh. Sshd then also calls xauth to add at the remote site an MIT-MAGIC-COOKIE-1 string into .Xauthority there, which then authorizes X11 clients there to access the ssh user's local X server. X11 connections between client and server over a network can also be protected using other secure-channel protocols, such as Kerberos/
GSSAPI The Generic Security Service Application Program Interface (GSSAPI, also GSS-API) is an application programming interface for programs to access security services. The GSSAPI is an IETF standard that addresses the problem of many similar but inc ...
or TLS, although such options are now far more rarely used than SSH.


References


External links


X security manual page
(Xsecurity 7) {{XWinSys X Window System