Thomi Richards wrote: > I'm trying to write an application that runs as a daemon and monitors > running X sessions. Right now I'm struggling to find documentation > regarding the X security model.
Start with the Xsecurity man page (if it's not installed in your distro, the nroff source is at: http://cgit.freedesktop.org/xorg/doc/xorg-docs/tree/man/general/Xsecurity.man ) > In my test environment, the X server is started like this: > > /usr/bin/X -br -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-QBEVDj > > That file contains a single entry, that looks like this: > > #ffff##: MIT-MAGIC-COOKIE-1 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > > > by adding an entry to ~/.Xauthority with the same hex key, I can > connect to the X server. However, this is difficult because I need to > programmatically find the auth file the X server is using (the > location of which I guess will change from distro to distro, and > probably from one boot to the next), The auth directory should be constant on a given distro, but the file name is a random string that changes every time the X server process is restarted. > then query it, then write a new > auth file. If the process is running as a daemon, it might not have a > home directory, so how do I know where to write the new entries to? You can setenv XAUTHORITY to the file name to look for cookies in - if your daemon is running as root, it could even be set to the /var/run/... file itself. > Ideally, what I'm looking for is a way to bypass the need to have the > xauth cookie in ~/.Xauthority, or even to know what the cookie is at > all. I realise that this is unlikely - what good is a security model > if it's easily bypassed? but I'm hoping someone on this list may have > a few good ideas. Is there a way to specify that my process is > privileged and thus should automatically be given access to any > display on the local machine? Modern X servers on current platforms allow authentication by username or groupname - "xhost +si:localuser:root" for instance. I think, but don't remember ever trying, that you can include these in the default authentication list in /etc/X0.hosts (replace 0 with the display id for Xservers other than :0). -- -Alan Coopersmith- [email protected] Sun Microsystems, Inc. - X Window System Engineering _______________________________________________ xorg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xorg
