Limiting X11 Access

Limiting X11 Access

With the X Window System(TM), workstations can run client programs transparently on other hosts on the network. This access is completely independent of controls such as login accounts and passwords and is done through X protocols.

By default, IRIX workstations are configured to allow complete, transparent access for all workstations on the network that use the X Window System. You can change this using the xhost(1) server access control program and the configuration file /etc/X*.hosts. In the configuration filename, the asterisk (*) corresponds to the number of the server on the local host. This is usually 0, so for most workstations the file is /etc/X0.hosts.

When the X server starts, it checks the file /etc/X*.hosts. For example, server 0 checks for /etc/X0.hosts, server 1 checks for /etc/X1.hosts, and so forth. If the file is missing, or is empty, no remote hosts are allowed access to the server. If the file contains a single plus sign (+), all remote hosts are allowed access. (This is the default.)

Next, the xhost command is run from the file /usr/lib/X11/xdm/Xsession. In the default Xsession file, xhost allows access to all remote hosts. To change the default server-access permissions, you must change how the xhost command is run from the Xsession file. Then, you can customize the /X*.hosts file.

xhost Command

The xhost command modifies the internal state of the X server. Using xhost, you can allow or deny server access for specific hosts, or for all hosts. Note that the xhost options that affect access control can be run only from the same workstation as the server.

For example, to deny other hosts access to the X server comment out the xhost line in /var/X11/xdm/Xsession and /var/X11/xdm/Xsession.dt:

# Gives anyone on any host access to this display
/usr/bin/X11/xhost +

to look like this:

# Gives anyone on any host access to this display
# /usr/bin/X11/xhost +

The xhost command can also be used interactively. To completely deny access to all hosts on your network through X protocols, use this command:

# xhost -

To allow complete access to all hosts on your network, use this command:

# xhost +

To selectively grant or deny access, specify the name of the specific host or hosts on the command line. For example, this command grants access to a host named brooklyn:

# xhost +brooklyn

When granting access, the plus sign (+) is optional.

This command denies access to both brooklyn and bronx:

# xhost -brooklyn -bronx

To see which hosts are currently allowed access to the server, run xhost from the command line with no options:

# xhost

You can advise users not to use xhost +, or you may delete the command from the system if it is a perceived security risk.

X*.xhost File

You can selectively allow access to remote hosts by listing their names in the /etc/X*.hosts file. For example, if the file /etc/X0.hosts contains the following line, the remote host bronx is the only workstation allowed to access the local server for server 0:

bronx

In the above example, all other hosts are denied access to the local server--assuming you do not have a conflicting xhost command in the /var/X11/xdm/Xsession or /var/X11/xdm/Xsession.dt file. The xhost command overrides the configuration file X*.hosts. To alter the default system configuration, you must not only modify the configuration file, but also change the xhost command in the /var/X11/xdm/Xsession file.

Note: Do not link the file X*.hosts to any other network host database, such as /etc/hosts or /etc/hosts.equiv. When the X server starts, it attempts to establish a connection to all hosts that are allowed access permission in the X*.hosts file. If this file contains a large number of hosts that are allowed access to the server, you have to wait until connections are established with each of the hosts before the server is started. For even better security (just commenting out xhost + still allows local programs to connect to the X server), you can enable X authority. To do this, change the DisplayManager*authorize entry in /var/X11/xdm/xdm-config to say:

DisplayManager*authorize: on

This makes xdm generate "magic cookies" (put in each user's $HOME/.Xauthority file), which are then required for any X client to connect to the X server. This provides a good means of X server access control. (Note that this may already be the default on your system.)

For more information about X security and authorization, see the xsecurity(1), xhost(1), xauth(1), xserver(1), and X(1) reference pages.