Hello all, I am Ian Liu and this is my first post to this list, salute.
*Short description* Why X11 doesn't include the authorization cookie when DISPLAY's host is localhost? Is there a way to include it? *Long description* I work on a project where we do X11 forwarding "by hand", meaning that we manually register xauth cookies and set displays. We may have a scenario like this: machine *A* connects to *B* which connects to *C* via locally bind'ed TCP. The bridge between the machines is done with SSH forwards. The display is on machine *A*, and a graphical program runs on *C*, so we make SSH tunnels between *A**B* and *B**C*, and export the DISPLAY variable in *C* to *localhost:port*, where *port* is the port forwarded by the ssh tunnel, minus 6000. When the connection reaches *A*, usually we must forward the incoming TCP connection to the X11 unix domain socket (/tmp/.X11-unix/X0). We did this by writing our own TCP to Unix socket forwarder. But our forwarder creates a security issue when executed by the user. It allows arbitrary users to export their display to the first one's display. So, what we did was to make the same check SSH does when forwarding X, which is to compare the xauth cookie that arrives in the header of a X connection. But, if the display exported is localhost, X doesn't send the authorization cookie, and we cannot validate it anymore. Is there a reason for this? I hope I was clear enough, please advice me if nothing was understood. Kind regards, Ian L. Rodrigues. PS.: The project I work on is Free software, available here: bitbucket.org/gebrproject/gebr
_______________________________________________ xorg@lists.x.org: X.Org support Archives: http://lists.freedesktop.org/archives/xorg Info: http://lists.x.org/mailman/listinfo/xorg Your subscription address: arch...@mail-archive.com