Startx lets the server use the users .Xauthority file. Since this file may contain credentials for other servers from other users we may not want to have these authorizations open with the server that's started. This is not a huge security hole - however it is something that should be looked out for.
Created attachment 2477 [details] [review] Separate client and server auth files This patch separates the client and the server auth files. It adds a newly created cookie to the server auth file. If the same display doesn't have an entry in the .Xauthority file already it will add the cookie for this display. Otherwise it will extract the cookie and add it to the server autorization file also. This creates a small security hole - but it is better than to toss credentials from an Xserver may be still running. I don't expect this security hole to be too big: These credentials should only belong to displays on the local machine and will only create a problem if the user is starting an Xserver with a display number that has been previously used by somebody else and the user had been given the cookie of this display. To fix this we would need a way to detect if a display is still running and bail before we get there. Maybe someday I will hack something up.
This was inspired by Fabian Franz who found a similar issue in NX.
This has been committed: revision 1.3 date: 2005-04-20 19:54:12 +0200; author: eich; state: Exp; lines: +25 -2; 2005-04-20 Egbert Eich <eich-at-freedesktop-dot-org> * programs/xinit/startx.cpp: Separate server auth and client .Xautority file in startx. .Xautority might have credentials from other Xservers which we might not want to enable on ours Bugzilla #3078).
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.