connection to ":0.0" refused by server

Alan DuBoff
Wed, 14 Jul 1999 09:28:54 -0700

Chris Waters wrote:

> First of all, do *not* follow the advice that someone else posted of
> using "xhost +".  This is a *major* security hole.  In fact, the xhost
> program is pretty much nothing but a security hole.  (RH probably
> either does this or the slightly less insane "xhost +localhost" by
> default, which is still extremely bad.)
> Instead, browse /usr/doc/X11/FAQ, paying particular attention to the
> question labeled: "How do I run an X client as root when the X session
> is run by a user?"  Or, if you want all the gorey details, read the
> xauth(1x) man page.

I do want to know the gorey details, and thanks for pointing this out. I am
using the XAUTHORITY environment variable as they suggest. While it requires a
bit of typing after su'n to the new user, it is the reccomended way.

I'll have to read up on it later.

They do mention what a major security violoation it is to use xhost.

The thing that blows my mind is that I *KNOW* Solaris doesn't handle that at
all, because I do run Solaris x86 from time to time at home.

The fact that Red Hat allows this while nobody else does kinda bothers me. Now
the opposite question, how can I prevent my Red Hat from doing that?

> A quote from the FAQ:

Yes, I did read that. I think a simple script that sets the XAUTHORITY
envionment variable on the command line is best, since it doesn't leave
anything in the environment after the execution is done.



Alan DuBoff
Software Orchestration, Inc.