Allowing Incoming X Connections with xhost

Allowing Incoming X Connections with xhost

The xhost command instructs an X Window System desktop to allow other systems to open connections (application windows) for display. Because the host-based security model that makes xhost work is somewhat insecure, you should use xhost to allow incoming connections only if your computer systems are behind a firewall and all users on your network are trusted.

The xhost Command Can Be Dangerous! Using the xhost command to enable incoming X connections on a machine that is not behind a dedicated firewall can render your computer vulnerable to attacks, leading to data theft or destruction by malicious Internet users.

To instruct a Linux desktop environment to allow incoming connections via the xhost command, start a terminal application and type the following command:

 xhost hostname ... 

Replace hostname with the hostnames of the systems from which application connections should be accepted. For example, to allow programs running on the computer's workstation10 and mailservera to be displayed on the local computer's desktop, enter the following:

 [you@workstation20 ~]$ xhost workstation10 mailservera workstation10 being added to access control list mailservera being added to access control list [you@workstation20 ~]$ 

Fully qualified domain names and network addresses can also be used with the xhost command:

 [you@workstation20 ~]$ xhost sunsystem1.yourcompany.com 10.1.24.192 sunsystem1.yourcompany.com being added to access control list 10.1.24.192 being added to access control list [you@workstation20 ~]$ 

To list those systems currently allowed to connect to the local desktop and create windows on it, enter the xhost command without arguments:

 [you@workstation20 ~]$ xhost access control enabled, only authorized clients can connect INET:workstation10.mycompany.com INET:mailservera.mycompany.com INET:sunsystem1.yourcompany.com INET:10.1.24.192 [you@workstation20 ~]$ 

The listed systems can all open application windows on the local desktop. To remove a system from the list of systems that are allowed to connect to the local desktop, call xhost and place a minus (-) sign in front of the name of the system you would like to remove:

 [you@workstation20 ~]$ xhost -workstation10.mycompany.com workstation10.mycompany.com being removed from access control list [you@workstation20 ~]$ 

Displaying Local Applications Remotely

When you start a desktop application from the command line, the application decides where it should display its application window by looking at the DISPLAY shell variable. The DISPLAY variable should hold a value of the following format:

 host:0 

For example, if the desktop on the system called newton.mycompany.com has been configured with the xhost command to allow connections from workstation20.mycompany.com (your system in this example), you can start an application on workstation20, which shows its application window on newton, by executing a command line like this one:

 [you@workstation20 ~]$ DISPLAY=newton.mycompany.com:0 emacs & [1] 6044 [you@workstation20 ~]$ 

Access Control Can Be DisabledBut Watch Out! In some rare cases, completely disabling access control and allowing all systems to open windows on your display can be helpful. For example, if you're configuring a local network that is not yet connected to the Internet, you might need to repeatedly open and close remote applications from a number of different computer systems. Access control can be completely disabled by supplying the plus sign (+) alone as an argument to xhost: xhost + When you want to reenable access control, once again preventing systems that are not on the control list from connecting, supply the minus sign (-) alone as an xhost argument: xhost - You should disable access control only in completely trusted environmentsfor example, if your network is not connected to the Internet at allbecause disabling access control can represent a major security risk and can lead to attacks, resulting in data theft or destruction by users outside your network.

This particular command opens an emacs window on the desktop of the computer newton.mycompany.com on your local network, assuming that the xhost command has been used on the newton host to allow connections from workstation20. The emacs program itself uses the processor and memory resources of your workstation (in this case, workstation20) to run.

The X Window System Supports Multiple Networked Displays The :0 at the end of the DISPLAY variable's value indicates that the program should display its application window on the first display on the remote host. Because most PCs and workstations have only one display, you won't find yourself using higher numbers in place of zero very often.

It can get tiresome to have to assign a value to the DISPLAY variable each time you want to start a new program that displays remotely, particularly if you will be displaying several applications on the same remote display. In cases like this, you can set the value of DISPLAY and then use the export command to force the value of DISPLAY to be used even when you are starting multiple jobs from the command line:

 [you@workstation20 ~]$ DISPLAY=newton.mycompany.com:0 [you@workstation20 ~]$ export DISPLAY [you@workstation20 ~]$ 

After you use export to make the value of DISPLAY apply to all jobs you start from the shell, you no longer need to set the value explicitly to cause an application to display remotely. For example, after you export the value of DISPLAY as shown, the following command starts an emacs window, loads the file myfile.txt, and displays the application window on newton.mycompany.com so that the user sitting in front of that machine can edit myfile.txt:

 [you@workstation20 ~]$ emacs myfile.txt & [2] 6078 [you@workstation20 ~]$ 

Remember, after you set and export the value of DISPLAY to point to another workstation, any applications you start are displayed remotely rather than locally. To restore the value of DISPLAY so that applications you start appear on your local display again, set the value of the DISPLAY variable to :0.0:

 [you@workstation20 ~]$ DISPLAY=:0.0 [you@workstation20 ~]$ export DISPLAY [you@workstation20 ~]$ 

After you set the value of DISPLAY to :0.0, any applications you start afterward from the command line appear on your local display.

Displaying Remote Applications Locally

To display remote applications locally, you can use a similar technique. First, ensure that you have used the xhost command to enable incoming connections on the local desktop display, as discussed earlier in "Allowing Incoming X Connections with xhost." Then follow these steps:

Use telnet Only When You Absolutely Have To Because the telnet command sends passwords across the network without first encrypting them, telnet is less secure than ssh. Malicious network users can steal passwords used in telnet sessions. For this reason, you should use telnet only if your network is behind a dedicated firewall, and instead should use the ssh techniques, discussed earlier this chapter, whenever possible.

This process is illustrated in the following sequence of commands. Assume that you are working at a system called workstation20.mycompany.com. This sequence starts the emacs application on a remote system called newton and displays its application window on your desktop:

 [you@workstation20 ~]$ telnet newton Trying 10.4.26.131... Connected to newton. Escape character is '^]'. SunOS Unix (newton) login: joeuser Password: [joeuser@newton joeuser]$ DISPLAY=workstation20.mycompany.com:0 [joeuser@newton joeuser]$ export DISPLAY [joeuser@newton joeuser]$ emacs & [1] 31221 [joeuser@newton joeuser]$ 

After you enter this sequence, the emacs application appears on your local display, running on the system called newton.