Granting access to X server with xhost

      6 Comments on Granting access to X server with xhost

Every X server internally manages an ACL (Access Control List) of those hosts, that are allowed to connect. The server only authorizes connections from X clients, whose host is on that list and rejects access to all others. The xhost program is used to add or revert access to the X server for specified hosts. It’s also possible to specify a user and a hostname pair.

Host-based Control (xhost)

To see if access control is enabled, type xhost. It displays the current ACL:

$ xhost
access control enabled, only authorized clients can connect
SI:localuser:user
SI:localuser:gdm
SI:localuser:root

If the access control is disabled, it prints:

$ xhost
access control disabled, clients can connect from any host

To disable the access control type xhost + which allows any host to access your X server. You probaly don’t want to do this because it allows the world to open windows on your screen and grab the keystrokes you type.

To enable the access control again type xhost - and only authorized clients/hosts are allowed to do the things mentioned above.

A simple example

Now let’s do something useful, e.g. grant another user on the local machine access to our X server. It’s pretty easy:

$ xhost +SI:localuser:anotheruser
localuser:anotheruser being added to access control list

And after that, anotheruser should show up in the ACL:

$ xhost
access control disabled, clients can connect from any host
SI:localuser:anotheruser
SI:localuser:user
SI:localuser:gdm
SI:localuser:root

To revoke the access right for anotheruser, use

$ xhost -SI:localuser:anotheruser
localuser:anotheruser being removed from access control list

For granting access to users on different hosts, have a look at the xhost manpage or the examples provided on http://linux.about.com/library/cmd/blcmdl_xhost.htm.

6 thoughts on “Granting access to X server with xhost

  1. Pingback: Unix/Linux:what does Xserver access control mean – Unix Questions

Leave a Reply

Your email address will not be published.