From fc1234f158fdc89528956c8c45eb0f9dce304365 Mon Sep 17 00:00:00 2001
From: April & May & June <us@calsys.org>
Date: Fri, 5 Dec 2025 14:10:50 +0800
Subject: [PATCH] fix: Enable Xauth access control for X11 sessions

Use Xauth instead of unsafe xhost +
---
 data/scripts/Xsetup        | 4 ----
 src/helper/UserSession.cpp | 5 +----
 2 files changed, 1 insertion(+), 8 deletions(-)

diff --git a/data/scripts/Xsetup b/data/scripts/Xsetup
index 4c29d0e..944c098 100755
--- a/data/scripts/Xsetup
+++ b/data/scripts/Xsetup
@@ -1,6 +1,2 @@
 #!/bin/sh
 # Xsetup - run as root before the login dialog appears
-
-# Allow all client connect to the Xorg server. Since our X server is started as
-# root, but sessions are started as user.
-xhost +
diff --git a/src/helper/UserSession.cpp b/src/helper/UserSession.cpp
index a2c005d..757d8ab 100644
--- a/src/helper/UserSession.cpp
+++ b/src/helper/UserSession.cpp
@@ -82,8 +82,7 @@ namespace DDM {
             // If the Xorg display server was already started, write the passed
             // auth cookie to /tmp/xauth_XXXXXX. This is done in the parent process
             // so that it can clean up the file on session end.
-            if (env.value(QStringLiteral("XDG_SESSION_TYPE")) == QLatin1String("x11")
-                && m_displayServerCmd.isEmpty()) {
+            if (env.value(QStringLiteral("XDG_SESSION_TYPE")) == QLatin1String("x11")) {
                 // Create the Xauthority file
                 QByteArray cookie = helper->cookie();
                 if (cookie.isEmpty()) {
@@ -111,9 +110,7 @@ namespace DDM {
 
                 env.insert(QStringLiteral("XAUTHORITY"), m_xauthFile.fileName());
                 setProcessEnvironment(env);
-            }
 
-            if (env.value(QStringLiteral("XDG_SESSION_TYPE")) == QLatin1String("x11")) {
                 QString command;
                 if (env.value(QStringLiteral("XDG_SESSION_CLASS")) == QLatin1String("greeter")) {
                     command = m_path;