This page describes access control and authentication mechanisms in X - and how you can implement your own.

This page does not describe security advisories. For that, see the SecurityPage.

Server Authentication

The core X protocol includes simple, host-based authentication. The familiar "xhost" client program is used to manipulate the list of allowable hosts.

The server supports a variety of additional authentication methods as add-ons. Authentication data is delivered to the server in the initial data that is sent by the connecting client. A string identifies the authentication method being used. The authentication methods currently supported in the X.Org xserver are:

  • MIT-MAGIC-COOKIE-1: The most popular scheme, in which a certain string of bytes (the "cookie") must be presented. The server is started up with a file that contains the cookies, and Xlib reads cookies from a file, typically ~/.Xauthority. The "xauth" client program can be used to manipulate the cookies. Most desktop distributions make use of this method.
  • XDM-AUTHORIZATION-1
  • SUN-DES-1
  • MIT-KERBEROS-5
  • XC-QUERY-SECURITY-1: A pseudo method used to find out whether the server supports certain extensions in trusted mode or "site policy" strings. This method is unused in all X implementations that this author is aware of (if you know otherwise, please make a note here - deprecation is being considered).

The authentication code is located in the os directory of the xserver, in auth.c and other files. An update being considered would move the authentication methods out of the xserver and implement them as PAM modules (libraries).

Server Access Control

The X server has long included an extension, SECURITY, which provides support for a simple trusted/untrusted connection model. Untrusted clients are restricted in certain ways to prevent them from reading window contents of other clients, stealing input events, etc. Documentation for this extension is located in the xorg-docs package. This extension has several limitations:

  • X server extensions are not well protected. They can only be turned off entirely.
  • Creating untrusted clients is cumbersome since cookie authentications must be "generated" using a protocol request. However, recent version of ssh do make use of this functionality.
  • Some portions of the extension, including the property configuration file and the query security authentication method described above, remain unused.

Starting with release 7.2 the X server includes a general framework for building security extensions, the X Access Control Extension. The best place to start if you are a security extension writer is with the XACE documentation, which can be found in the xorg-docs package. XACE inherits from the SECURITY extension and has the same coverage problems, but work is ongoing to verify its coverage and extend it to new places, such as protocol extensions.


CategoryServerInternals