XConfig - xhost

The xhost access control program

The xhost program is used to add or revert access to the X server for specified hosts. It's also possible to specify a user and a hostname pair, but this feature needs Secure RPC and NIS running on the involved machines (ask your friendly SysAdmin :) if you're unsure about it). If you use Kerberos V5, it's also possible to specify a Kerberos V5 principal (someone out there who is able to give me a short introduction to Kerberos V5?). Basically xhost allows only a rudimentary form of security and privacy control. It's only sufficient for a single user environment, although it limits the worst abuses. If you work in a multi user environment, you should consider to use the xauth program.

To see if access control is enabled (it should), type xhost. It displays something like this:

:-> xhost
access control enabled, only authorized clients can connect

If the access control is disabled, it prints:

:-> xhost
access control disabled, clients can connect from any host

To disable the access control type xhost + which allows any host to access your X server. You didn't really want to do this because it allows the world to open windows on your screen and grab the keystrokes you type (so your passwords aren't private anymore). To enable the access control again type xhost - and only authorized clients/hosts are allowed to do the above mentioned things.

The basics:

Now we want to do something useful, allow access from a specific host (e.g. because we are logged into it and want to start a X aware program, or we just logged into the same machine again with a different username and also want to start a X aware program). It's easy, just type xhost hostname or xhost +hostname and everyone logged into the host hostname is allowed to access the X server (open some windows on your screen, ...). If you want to give access to the X server to everyone on your local machine type xhost localhost (or xhost +localhost or xhost +the_name_of_our_local_machine). Let's assume we've allowed localhost and friend.his.domain to access our X server, xhost now prints:

:-> xhost
access control enabled, only authorized clients can connect
INET:friend.his.domain
INET:localhost

The INET:localhost part depends on the installation of our machine/network, INET:localhost.my.domain is also possible. Another way of allowing local users to connect to your X server is typing xhost local: (or xhost +local:). This allows non-network local connections to your server (the DISPLAY variable has to be set to ":displaynumber[.screennumber]" instead to "hostname:displaynumber[.screennumber]").

:-> xhost local:
non-network local connections being added to access control list

:-> xhost
access control enabled, only authorized clients can connect
LOCAL:

Ok, after giving access to a specific host we want also to be able to revert a given access. It's easy, just type xhost -hostname and the specified host isn't allowed to access our X server anymore (use xhost -local: if you've used xhost +local:).

It's also possible to specify more than one operation on the command-line, e.g. xhost +host1 -host2 host3. This enables the access to the X server for host1 and host3 and disables the access for host2.
Be warned: don't put a space between the + and the hostname, this didn't only result in adding the specified host to the access control list, it also disables the access control completely (only valid for some versions of xhost)!

What can we do with this?

Because the server didn't break already established connections from clients we are able to just give access to a specific host as long as we need to start the client.

A little bit more restrictive:

After learning the basics let's go to an advanced topic... Secure RPC.
xhost +nis:unix.uid@domainname allows the user uid from the NIS-domain domainname to access our X server. The uid is the numerical user ID of the user. Reverting the access to the X server is done by replacing the "+" by a "-" (as you've expected perhaps). A local user can be specified with just the username and a trailing at-sign ("@"). In the following example I allow access to the local user alex (which has the user id 1000):

:-> xhost +nis:alex@
alex@ (unix.1000@my_NIS.domain) being added to access control list

:-> xhost
access control enabled, only authorized clients can connect
NIS:unix.alex@ (unix.1000@my_NIS.domain)

XXX: I didn't manage to get the NIS-part working (me at host1, Solaris 7, OpenWin, local display. friend at host2, Solaris 7, OpenWin), some hints?
XXX: Here I want to give some information about xhost and Kerberos V5, but I don't know anything about Kerberos V5 (yet). Feel free to mail me an explanation/some pointers.

[XConfig - Main] [XConfig - Security]

Questions, critics and bugfixes to: Alexander+XConfig@Leidinger.net