Solved X11-apps inside jail: Authorization required, but no authorization protocol specified

Holger

Holger

X11 applications inside a jail used to work really well. It seems that with my upgrade to FreeBSD 14.1-RELEASE things have changed. Now I get the following error (when being inside a jail):
Code: 
hsebert@bsd-wine:~ $ xclock
Authorization required, but no authorization protocol specified

Error: Can't open display: :0

The variable DISPLAY is set via:
Code: 
export DISPLAY=:0

When I am root everything works fine! It's just when I am an unprivileged user that I am getting this error.

This is how my fstab for the jail looks like;
Code: 
/tmp/.X11-unix          /jail/bsd-wine/tmp/.X11-unix      nullfs              rw                      0       0

Here are the permissions of the socket inside my jail:
Code: 
hsebert@bsd-wine:~ $ ls -la /tmp/.X11-unix/X0
srwxrwxrwx  1 root wheel 0 Nov  4 00:07 /tmp/.X11-unix/X0=

I see that an unprivileged user has to be in the group wheel. But that has already been done:
Code: 
hsebert@bsd-wine:~ $ groups
hsebert wheel operator

And, again, the jail in question used to to work just fine.

Has anything changed in 14.1 and/or the ports?
 
I am able to run X clients from a jail on 14.1-RELEASE.
  1. Do you have a $HOME/.Xauthority file in the jail for the user who is trying to run X clients? If not, you probably need to create a $HOME/.Xauthority in each jail.
  2. If you run "xauth list" in the parent-system (as the user who started the X server), does the MIT-MAGIC-COOKIE-1 value for the parent hostname match the cookie value in the jail for the jail's hostname? If not, you'll need to create a $HOME/.Xauthority entry in the jail with that cookie value, but be sure to use the hostname of the jail when you create it in the jail. See the xauth man page.. You can run xauth in the jail, then type:
    add jailhostname/unix:0 MIT-MAGIC-COOKIE-1 cookie-value-from-parent
    (replace the jailhostname with the hostname of the jail, and replace cookie-value-from-parent with the cookie value from running "xauth list" in the parent system)
Whenever I start X, I run a custom script from my $HOME/.xinitrc file that automatically copies the proper xauth entry from the parent system's most recent $HOME/.serverauth* file to every jail, so that each jail always has the proper/current cookie for access whenever a direct X11 connection is attempted. (not sure, but I think the cookie value changes each time the X server is started)

I believe this approach is more secure than simply running "xhost +".
 
See the attached "copy_xauth_jail" sh script, which you can run in $HOME/.xinitrc to copy the X authorization automatically to every jail at X startup. At least this is what I do. I suggest you run the script once manually, just to make sure there are no errors/warnings, and then check that you can invoke X clients with DISPLAY=":0" in one of your jails.
  • You will need to edit the jailroot= line in the script to match the directory where your jail roots live.
  • You will need to create an empty $HOME/.Xauthority file in each desired jail before running the script.
  • Remember to set the executable bit on the script. :)
(This is my first time posting a sh script as a text attachment -- hope this works and is how the admins prefer sh scripts to be posted)
 

Attachments

Thank you all.

It was indeed a missing xhost +.

I had once changed it to xhost si:localuser:root in my ~/.xinitrc and forgot about it. This also explains why it worked with root but not anyone else.
 
You must log in or register to reply here.
Back
Top