Graphical Environment Guide
Chapter 4, Running remote programs
Granting access to specific accounts

Granting access to specific accounts

If you log in through scologin, you can control display access by using an authorization protocol called MIT-MAGIC-COOKIE. If scologin's authorize configuration resource is set, upon logging in, both the X server and the user receive an authorization code called a ``magic cookie''. If a user attempts to run a client on an X server but does not have the required authorization record, the server denies the client access. For details on configuring scologin, see ``Customizing scologin'' and the scologin(XC) manual page.

The user receives the magic cookie through an authorization file in the $HOME directory, named .Xauthority. The authorization file may contain authorization codes for multiple X servers, allowing the user to run clients on these servers. For security, only the user has read or write permissions on authorization files. The user that logged in through scologin can share authorization records with other users, however. 

NOTE: Host access permissions override user authorization restrictions. If the host machine has obtained access permission through one of the /etc/Xn.hosts files or the xhost utility, any user on the host can access the display without having the X server's authorization code. See ``Granting access to specific hosts'' for more information on /etc/Xn.hosts files and the xhost utility.

To grant access permission to a specific user, perform the following steps. You must be logged in as root to perform this task.

  1. Edit the /etc/Xn.hosts files and remove any host names listed.

  2. Configure scologin so it runs the X server with the magic cookie authorization protocol. The /usr/lib/X11/scologin/Xconfig file must contain the following resource specification: 
       DisplayManager*authorize: true
    When you have finished, restart scologin.

  3. Log in through the scologin window.

  4. Run xhost to make sure no other host access permissions exist for your session. (For example, host permissions may be specified in $HOME/.startxrc.) If any host does have access permission, remove the permission with the following command:

    xhost -

  5. To make sure your authorization file includes an authorization record for the X server, run the following command:

    xauth list

    Extract the X server's authorization code by running:

    xauth extract tempfilename display

    In this command, tempfilename is a temporary file in which the authorization code is stored before it is merged. The displayname is the name of the display as shown by the previous xauth list command.

    Finally, merge it with the other user's authorization file by running:

    xauth merge tempfilename

    In this command, tempfilename is the same temporary file created by the xauth extract command.