What is xhosts
The xhost command is the Linux X-Windows server access control program. Depending on the arguments used, xhost grants or denies user/host access (connections) to the local X-server, thereby allowing or denying users/hosts the ability to display X-Windows-based applications e.g. xclock, graphical installers etc. The purpose of this post is to describe how to configure xhost to be persistent across Linux server reboot, thereby ensuring that users/hosts may continue to display X-Windows applications without privileged user intervention.
The xhosts command is provided by the package xorg-x11-server-utils.
# yum whatprovides /usr/bin/xhost Loaded plugins: fastestmirror, presto Loading mirror speeds from cached hostfile * base: centos.s.uw.edu * extras: mirrors.usc.edu * updates: centos.s.uw.edu xorg-x11-server-utils-7.7-14.el6.x86_64 : X.Org X11 X server utilities Repo : base Matched from: Filename : /usr/bin/xhost
Use the yum install command to install the xorg-x11-server-utils package.
# yum install xorg-x11-server-utils
How to use xhost to manage access control to X server?
Below are some of the examples of adding or removing the hosts/IP addresses to/from access control list. Multiple hosts or IP addresses can be specified in single command.
1. xhost command without any argument displays current access control list. For example:
$ xhost access control enabled, only authorized clients can connect SI:localuser:user
2. Use xhost +IP or xhost +host to add particular host to access control list.
$ xhost +geeklab geeklab being added to access control list
$ xhost +192.168.12.10 +10.140.120.21 +126.96.36.199 192.168.12.10 being added to access control list 10.140.120.21 being added to access control list 188.8.131.52 being added to access control list
3. Use xhost -IP or xhost -host to remove particular host from access control list
$ xhost -192.168.12.10 192.168.12.10 being removed from access control list
Enabling or Disabling Xserver access using xhost
The “xhost +” command without IP or host argument disables the X server access control. The “xhost –” can be used to enable X server access control. Enabling or Disabling access control does not affect the list of current ACL. For example:
$ xhost + access control disabled, clients can connect from any host
$ xhost access control disabled, clients can connect from any host INET:184.108.40.206 INET:192.168.12.10 INET:geeklab SI:localuser:user
$ xhost - access control enabled, only authorized clients can connect
Making xhost Access Control persistent across reboots
ACLs remain as long as the X server in question is running and ACL is discarded when X server restarts. /etc/XN.hosts file can be created to have pre-defined access control, N is to be replaced by DISPLAY number. Thus /etc/X0.hosts will contain pre defined access control list for X server running on DISPLAY 0 /etc/X1.hosts will have the same for X server on DISPLAY 1 and so on. For example:
$ cat /etc/X0.hosts 192.168.12.10 220.127.116.11
X server reads this file for any access controls to be used while starting up. The pre-loaded access control can always be modified using xhost command. The access control can be enabled, disabled or modified from any host by any user having access to the X server in question. Access to xhost binary can be restricted to overcome this. The restrictions are to be applied to user accounts on every system which is allowed access to the X server in question.