Skip to content

fix: Enable Xauth access control for X11 sessions #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zccrs merged 1 commit into from
Dec 5, 2025
Merged

fix: Enable Xauth access control for X11 sessions #53

zccrs merged 1 commit into from
Dec 5, 2025

Conversation

@calsys456
Copy link
Contributor

@calsys456 calsys456 commented Dec 5, 2025
edited by sourcery-ai bot
Loading

Use Xauth instead of unsafe xhost +

Summary by Sourcery

Bug Fixes:

  • Always create and export an Xauthority file for X11 sessions, even when a display server command is specified, so Xauth access control is reliably applied.

@calsys456
fix: Enable Xauth access control for X11 sessions
fc1234f 
Use Xauth instead of unsafe xhost +
@deepin-ci-robot
Copy link

deepin-ci-robot commented Dec 5, 2025

Hi @calsys456. Thanks for your PR.

I'm waiting for a linuxdeepin member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sourcery-ai
Copy link

sourcery-ai bot commented Dec 5, 2025

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Switch X11 session authorization from xhost-based access control to Xauthority (xauth) and ensure the XAUTHORITY file is always set up for X11 sessions, including greeter sessions.

Sequence diagram for X11 session startup with Xauth-based access control

sequenceDiagram
    actor User
    participant DisplayManager as DisplayManagerHelper
    participant UserSession
    participant Xorg as XorgServer
    participant XauthFile as XauthorityFile

    User ->> DisplayManager: Start X11 login
    DisplayManager ->> Xorg: Start Xorg display server
    Xorg -->> DisplayManager: Display ready

    DisplayManager ->> UserSession: Launch session (env XDG_SESSION_TYPE=x11)

    UserSession ->> UserSession: Check XDG_SESSION_TYPE == x11
    alt X11 session
        UserSession ->> DisplayManager: Request auth cookie
        DisplayManager -->> UserSession: Cookie bytes
        UserSession ->> XauthFile: Create temp file /tmp/xauth_XXXXXX
        UserSession ->> XauthFile: Write cookie entry
        UserSession ->> UserSession: Set env XAUTHORITY to xauth file
        UserSession ->> UserSession: setProcessEnvironment(env)

        alt Greeter session (XDG_SESSION_CLASS=greeter)
            UserSession ->> Xorg: Start greeter command with XAUTHORITY
        else Regular user session
            UserSession ->> Xorg: Start user session command with XAUTHORITY
        end
    else Non-X11 session
        UserSession ->> UserSession: Skip Xauth setup
        UserSession ->> WaylandOrOther: Start non-X11 session
    end
Loading

File-Level Changes

Change Details Files
Ensure Xauthority file and XAUTHORITY environment variable are created for all X11 sessions, not only when no display server command is set.
  • Remove the m_displayServerCmd.isEmpty() condition from the X11-session check so the Xauthority file is created whenever XDG_SESSION_TYPE is x11.
  • Move the XDG_SESSION_TYPE == x11 check so that the Xauthority setup and subsequent X11 startup logic run in the same conditional block.
  • Keep passing the helper-provided auth cookie into a temporary Xauthority file and exporting it via the XAUTHORITY environment variable for the child process.
 src/helper/UserSession.cpp
Adjust X11 setup script to use Xauth-based access control instead of xhost + (details not fully visible in provided diff).
  • Update Xsetup script logic so X11 access control relies on Xauthority instead of globally disabling access control with xhost +.
 data/scripts/Xsetup
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Dec 5, 2025
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey there - I've reviewed your changes and they look great!

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@deepin-ci-robot
Copy link

deepin-ci-robot commented Dec 5, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: calsys456, zccrs

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@zccrs zccrs merged commit bc4c5ba into linuxdeepin:master Dec 5, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@zccrs zccrs zccrs approved these changes

Assignees

No one assigned

Labels

needs-ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@calsys456 @deepin-ci-robot @zccrs