X authentication ????

[Joachim Durchholz]

Joe Armstrong wrote:

> As I understand things authentication works like this.
> 
> When you run an X app it reads the (local) .Xauthority file
> and chooses the cookie of one of the entries in this file to
> start a session with the server.
> 
> This is reasonably secure since a remote program cannot read the (local)
> Xauthority file. 

Security entirely depends on the authorization protocol in use. Some 
send the cookies as plaintext.

> So how does a local client figure out which Xauthority entry to use?
> 
> My code tries the following
> 
>    1) try "localhost"
>    2) if that fails find the local host name
>       and look that up
>    3) give up

Wouldn't it be better to look up the X server name? I think that's how 
authorization is supposed to work: the client specifies on what machine 
the display should go, the server checks whether the client has proper 
credentials.
(Part of the confusion may stem from the fact that the same records are 
used by client and server.)

Typical usage:

User logs on to an X machine.
User starts a background task on a remote machine.
Background task is supposed to display a progress bar on user's terminal.

-> Background task is told the host name of user's machine, to use as an 
X server for the display.

In an installation running a fixed set of software, the assignment of X 
Servers to background processes may be part of a configuration. IOW the 
background processes would get their machine names from a file or database.

Regards,
Jo
--
Currently looking for a new job.