NAME

xhost - server access control program for X

SYNOPSIS

xhost [ [+-] hostname ] [ +- username@[domainname]]

DESCRIPTION

The xhost program is used to (1) add and delete hosts to the list of machines, and (2) add and delete users to the list of users that are allowed to make connections to the X server.  Using the first form provides a rudimentary form of privacy control and security.  It is only sufficient for a workstation (single user) environment, although it does limit the worst abuses.  Environments which require more sophisticated measures should use the hooks in the protocol for passing authentication data to the server. The second form of xhost is used to manipulate SUN-DES-1 authentication protocol entries. 

By default, the X11/NeWS server supports "MIT-MAGIC-COOKIE" security which is a user-specific, rather than host-specific, mechanism.  To change this default, see openwin(1) man page.  The server can initially allows network connections only from programs running on the same machine or from machines listed in the file /etc/X∗.hosts (where ∗ is the display number of the server) by specifying the ’-noauth’ option when starting openwin.  The xhost program is usually run either from a startup file or interactively to give access to other users. 

Hostnames that are followed by two colons (::) are used in checking DECnet connections; all other hostnames are used for TCP/IP connections. 

The X server stores host names in the form of the host’s network address.  Thus, if a host’s network address changes, xhost should be re-invoked to re-identify that host for the X server. 

OPTIONS

Xhost accepts the following command line options described below.  For security, the options that effect access control may only be run from the same machine as the server. 

[+]hostname
The given hostname (the plus sign is optional) is added to the list of machines that are allowed to connect to the X server. 

−hostname
The given hostname is removed from the list of machines that are allowed to connect to the server.  Existing connections are not broken, but new connection attempts will be denied.  Note that the current machine is allowed to be removed; however, further connections (including attempts to add it back) will not be permitted.  Resetting the server (thereby breaking all connections) is the only way to allow local connections again. 

+username@domainname
The given username is added to the list of users who are allowed to connect to the server. If domainname is omitted, the username is assumed to be in the local domain. 

−username@dmonainname
The given username is removed from the list of users who are allowed to connect to the server. Same, caveats as for removing a hostname are applicable here too. 

+ Access is granted to everyone, even if they aren’t on the list of allowed hosts (i.e. access control is turned off). 

− Access is restricted to only those machines on the list of allowed hosts (i.e. access control is turned on). 

nothing If no command line arguments are given, the list of hosts and/or users that are allowed to connect is printed on the standard output along with a message indicating whether or not access control is currently enabled.  This is the only option that may be used from machines other than the one on which the server is running. 

FILES

/etc/X∗.hosts

SEE ALSO

openwin(1)
OpenWindows Version 3.1 Programmer’s Guide

ENVIRONMENT

DISPLAY
to get the default host and display to use.

BUGS

You can’t specify a display on the command line because −display is a valid command line argument (indicating that you want to remove the machine named “display” from the access list). 

COPYRIGHT

Copyright 1988, Massachusetts Institute of Technology. 
See X11(7) for a full statement of rights and permissions. 

AUTHORS

Bob Scheifler, MIT Laboratory for Computer Science,
Jim Gettys, MIT Project Athena (DEC).

SunOS 5.1/SPARC  —  Last change: 23 March 1992