When trying to run a graphical program under a different user than the X server, this is not permitted on a properly configured system. often xhost is used to allow the local host or a limited number of remote hosts access to the local X server. unfortunately, this mechanism does not differentiate between users and introduces a security risk because all users on such a machine are allowed to use the X server.

Often xhost +local: is used to restrict the availability of the X server to local non-networked connection but on a multi-user system, this does not enhance security very much.

A more secure approach is the use of magic cookies that authenticate the X client with the server. If the foreign user has obtained the magic cookies from you, he is able to connect a client to the X server. other users that do not have access to the cookie are denied the access.

To transfer a cookie to another remote account, use the following command:

xauth nextract - ${DISPLAY} | ssh USER@HOST xauth nmerge -

See also Pipes over SSH

Feedback is always welcome! If you'd like to get in touch with me concerning the contents of this article, please use Twitter.