--xauth: new option to configure X cookies

--no-auth: deprecated

CHANGELOG.md

@@ -6,7 +6,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Project website: https://github.com/mviereck/x11docker
 
-### [Unreleased]
+## [Unreleased]
+### Added
+ - `--xauth [=yes|trusted|untrusted|no]`: New option to configure X cookie.
 ### Changed
  - `--xoverip`: New optional arguments `yes|no|socat`.
    Using `socat` allows X over TCP with Xwayland related options.
@@ -15,6 +17,8 @@ Project website: https://github.com/mviereck/x11docker
  - `--user`: Fix in setup of `/etc/gshadow`.
  - `--xc`: Provide X unix socket to host with `socat` instead of `ln`.
    GTK3 application failed to access X through a soft link.
+### Deprecated
+ - `--no-auth`: Use `--xauth=no` instead.
 
 ## [7.3.2](https://github.com/mviereck/x11docker/releases/tag/v7.3.2) - 2022-07-08
 ### Added

x11docker

@@ -11,7 +11,7 @@
 # Run 'x11docker --help' or scroll down to read usage information.
 # More documentation at:  https://github.com/mviereck/x11docker
 
-Version="7.3.3-beta-3"
+Version="7.3.3-beta-4"
 
 # --enforce-i: Enforce running in interactive mode to allow commands tty and weston-launch in special setups.
 grep -q -- "--enforce-i" <<< "$*" && case $- in
@@ -235,15 +235,21 @@ X and Wayland special configuration:
      --display=N       Use display number N for new X server.
      --keymap=LAYOUT   Set keyboard layout for new X server, e.g. de, us, ru.
                        For possible LAYOUT look at /usr/share/X11/xkb/symbols.
-     --no-auth         Allow access to X for everyone. Security risk!
      --vt [=N]         Use vt / tty N. Without N search an unused tty.
      --westonini=FILE  Custom weston.ini for --weston and --weston-xwayland.
      --xhost [=STR]    Set \"xhost STR\" on new X server (see 'man xhost').
                        Without STR will set:  +SI:localuser:\$USER
                        (Use with care. '--xhost=+' allows access for everyone).
      --xoverip [=yes|no|socat] Connect to X over TCP network. For special setups
                        only, usually only enabled by x11docker itself.
-                       Needs option --network.
+     --xauth [=yes|trusted|untrusted|no] Configure X cookie authentication.
+                       Possible arguments:
+                         yes|trusted: Enable cookie authentication with trusted
+                                    cookies. (General x11docker default.)
+                         untrusted: Untrusted cookie for untrusted apps
+                                    limiting access to X resources.
+                                    Useful to avoid MIT-SHM with --hostdisplay.
+                         no:        Disable cookie authentication. Dangerous!
      --xtest [=yes|no] Enable or disable X extension XTEST. Default is yes for
                        --xpra and --xvfb, no for other X servers.
                        Needed to allow keyboard and mouse control with xpra.
@@ -3716,22 +3722,22 @@ create_xcommand() {             ### create command to start X server and/or Wayl
 
   # X cookie authentication
   case "$Xauthentication" in
-    yes)
+    yes|trusted|untrusted)
       Xserveroptions="$Xserveroptions \\
   -auth $Xservercookie" ;;
     no)
   Xserveroptions="$Xserveroptions \\
   -ac"
       case "$Xoverip" in
         socat) ;; ### FIXME
-        yes) warning "Option --no-auth: SECURITY RISK!
+        yes) warning "Option --xauth=no: SECURITY RISK!
   Allowing access to new X server for everyone.
   Your X server is accessible over TCP network without any restriction.
   That can be abused to take control over your system." ;;
         no)
           case "$Xserver" in
             --hostdisplay|--hostwayland|--weston|--kwin|--tty) ;;
-            *) warning "Option --no-auth: SECURITY RISK!
+            *) warning "Option --xauth=no: SECURITY RISK!
   Allowing access to new X server for everyone." ;;
           esac
         ;;
@@ -4067,7 +4073,7 @@ mode=$Screensize" >> "$Westonini"
 
       # Workaround as nxagent ignores XAUTHORITY and fails to start if option -auth is given without containing the cookie from host display.
       # Option -ac above complies "xhost +" and is reverted in xinitrc.
-      [ "$Xauthentication" = "yes" ] && unpriv "cp '$Hostxauthority' '$Xservercookie'"
+      [ "$Xauthentication" != "no" ] && unpriv "cp '$Hostxauthority' '$Xservercookie'"
 
       # fake NXclient
       echo '#! /usr/bin/env bash
@@ -4707,7 +4713,7 @@ create_xinitrc() {              # create xinitrc: set up X environment, create c
       echo           "export DISPLAY XAUTHORITY WAYLAND_DISPLAY"
     ;;
     --runx)
-      [ "$Xauthentication" = "yes" ] && {
+      [ "$Xauthentication" != "no" ] && {
         echo         "# cookie generated by runx"
         echo         'debugnote "xinitrc: Option --runx: Using cookie: $XAUTHORITY"'
         echo         "cp -T \"\$XAUTHORITY\" '$Xclientcookie'"
@@ -4739,9 +4745,16 @@ create_xinitrc() {              # create xinitrc: set up X environment, create c
       esac
       echo ""
 
-      [ "$Xauthentication" = "yes" ] && {
+      [ "$Xauthentication" != "no" ] && {
         echo         "# create new XAUTHORITY cookies"
-        echo         "Trusted=trusted"
+        case "$Xauthentication" in
+          yes|trusted)
+            echo     "Trusted=trusted"
+          ;;
+          untrusted)
+            echo     "Trusted=untrusted"
+          ;;
+        esac
         case "$Runsoverssh" in
           no)
             echo     "echo 'Requesting \$Trusted cookie from X server'"
@@ -4778,15 +4791,15 @@ create_xinitrc() {              # create xinitrc: set up X environment, create c
         echo         "[ -s '$Xclientcookie' ] || warning 'Cookie creation failed!'"
       }
       echo           "export XAUTHORITY=$Xclientcookie"
-      echo           "[ '$Xauthentication' = 'no' ] || [ ! -s '$Xclientcookie' ] && unset XAUTHORITY && warning 'Option --no-auth: X server $Newdisplay runs without cookie authentication.'"
+      echo           "[ '$Xauthentication' = 'no' ] || [ ! -s '$Xclientcookie' ] && unset XAUTHORITY && warning 'Option --xauth=no: X server $Newdisplay runs without cookie authentication.'"
         echo         ""
 
       case "$Xserver" in
         --hostdisplay) ;;   # do not change host settings
         --xwin) ;;          # xhost does not work over tcp
         *)
           case "$Xauthentication" in
-            yes)
+            yes|trusted|untrusted)
               echo   "# clean xhost"
               echo   "verbose 'Disabling any possible access to new X server possibly granted by xhost'"
               echo   "disable_xhost"
@@ -5025,7 +5038,7 @@ store_newxenv() {               # store display variables
   # create $Newxenv: collection of environment variables to access new X from host (e.g. in xinitrc)
   [ "$Newdisplay" ]              && storeinfo "DISPLAY=$Newdisplay"                && Newxenv="$Newxenv
 DISPLAY=$Newdisplay"
-  [ "$Xauthentication" = "yes" ] && storeinfo "XAUTHORITY=$Xclientcookie"          && Newxenv="$Newxenv
+  [ "$Xauthentication" != "no" ] && storeinfo "XAUTHORITY=$Xclientcookie"          && Newxenv="$Newxenv
 XAUTHORITY=$Xclientcookie"
   [ "$Newxsocket" ]              && storeinfo "XSOCKET=$Newxsocket"                && Newxenv="$Newxenv
 XSOCKET=$Newxsocket"
@@ -5043,7 +5056,7 @@ XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR"
   case "$Xserver" in
     --xpra*|--xephyr|--weston-xwayland|--hostdisplay|--xorg|--xvfb|--xwayland|--kwin-xwayland|--nxagent|--xwin|--runx)
       store_runoption env "DISPLAY=$Newdisplay"
-      [ "$Xauthentication" = "yes" ] && store_runoption env "XAUTHORITY=$(convertpath share "$Xclientcookie")"
+      [ "$Xauthentication" != "no" ] && store_runoption env "XAUTHORITY=$(convertpath share "$Xclientcookie")"
     ;;
     --weston|--kwin|--hostwayland|--tty)
       store_runoption env "WAYLAND_DISPLAY=$Newwaylandsocket"
@@ -7059,7 +7072,7 @@ storeinfo test locale && export LANG=\"\$(storeinfo dump locale)\"
       echo "export $(escapestring "$Line")"
     done < <(store_runoption dump env)
 
-    [ "$Xauthentication" = 'yes' ] || echo "unset XAUTHORITY && export XAUTHORITY"
+    [ "$Xauthentication" = "no" ] && echo "unset XAUTHORITY && export XAUTHORITY"
 
     echo "
 [ -d \"\$HOME\" ] && cd \"\$HOME\"
@@ -8905,7 +8918,7 @@ parse_options() {               # parse cli options
   Longoptions="$Longoptions,weston-xwayland,xpra-xwayland,xpra2-xwayland,xwayland"                                          # X servers depending on a Wayland compositor
   Longoptions="$Longoptions,hostwayland,kwin,weston"                                                                        # Wayland compositors without X
   Longoptions="$Longoptions,border::,dpi:,fullscreen,output-count:,rotate:,scale:,size:,xfishtank"                          # X/Wayland appearance options
-  Longoptions="$Longoptions,clean-xhost,composite::,display:,keymap:,no-auth,vt::,westonini:,xhost::,xoverip::,xtest::"     # X/Wayland config
+  Longoptions="$Longoptions,clean-xhost,composite::,display:,keymap:,vt::,westonini:,xauth::,xhost::,xoverip::,xtest::"     # X/Wayland config
   Longoptions="$Longoptions,checkwindow::,enforce-i,fallback::,preset:,pull::"                                              # x11docker config
   Longoptions="$Longoptions,cachebasedir:,home::,homebasedir:,share:"                                                       # Host folders
   Longoptions="$Longoptions,alsa::,clipboard::,gpu::,lang::,printer::,pulseaudio::,webcam"                                  # Host integration features
@@ -8921,7 +8934,7 @@ parse_options() {               # parse cli options
   Longoptions="$Longoptions,install,remove,update,update-master"                                                            # Installation
   #
   Longoptions="$Longoptions,keepcache,remountcgroup,xopt:,xorgconf:"                                                        # Experimental
-  Longoptions="$Longoptions,dbus-system,exe,homedir:,hostipc,hostnet,iglx,kwin-xwayland,no-internet,no-xhost"               # Deprecated
+  Longoptions="$Longoptions,dbus-system,exe,homedir:,hostipc,hostnet,iglx,kwin-xwayland,no-auth,no-internet,no-xhost"       # Deprecated
   Longoptions="$Longoptions,sharedir:,sharessh,systemd,showenv,showid,showinfofile,showpid1"                                # Deprecated
   Longoptions="$Longoptions,cachedir:,no-init,nothing,no-xtest,openrc,podman,pull::,ps,pw::,runit,silent,starter"           # Removed
   Longoptions="$Longoptions,stderr,stdout,sys-admin,sysvinit,tini,trusted,untrusted,vcxsrv,xdummy"                          # Removed
@@ -9015,7 +9028,7 @@ ${1:-}"
          --clean-xhost|--no-xhost) Cleanxhost="yes"                  # Disable xhost credentials on host X
                               [ "${1:-}" = "--no-xhost" ] && note "Option --no-xhost is deprecated.
   Please use --clean-xhost instead." ;;
-         --no-auth)           Xauthentication="no" ;;                # Disable cookie authentication on new X, set xhost +. Use for debugging only
+         --xauth)             Xauthentication="${2:-yes}" ; shift ;; # X cookie settings
          --xhost)             Xhost="${2:-auto}" ; shift ;;          # Custom xhost setting on new X server
 
      #### Host integration options
@@ -9145,6 +9158,8 @@ ${2:-}"                       ; shift ;;                             # Add custo
   Please use option --gpu=iglx instead." ;;
          --kwin-xwayland)     Xserver="--kwin-xwayland" ;    note "Option --kwin-xwayland is deprecated.
   Please use option --weston-xwayland instead." ;;
+         --no-auth)           Xauthentication="no"  ;        note "Option --no-auth is deprecated.
+  Please use option --xauth=no instead." ;;
          --no-internet)       Network="none"
                               note "Option --no-internet is deprecated.
   Option --network=none is default now." ;;
@@ -9509,6 +9524,17 @@ check_options_arguments() {     # check for [likely] valid arguments
     }
   }
 
+  # --xauth
+  case "$Xauthentication" in
+    yes|no|trusted|untrusted) ;;
+    *)
+      note "Option --xauth: Unknown argument: $Xauthentication
+  Fallback: Setting --xauth=yes"
+      check_fallback
+      Xauthentication="yes"
+    ;;
+  esac
+
   # --xoverip
   case "$Xoverip" in
     yes|no|socat|"") ;;
@@ -9579,7 +9605,7 @@ check_options_interferences() { # check multiple option interferences, change se
   esac
 
   # xauth
-  [ "$Xauthentication" = "yes" ] && case "$Xserver" in
+  [ "$Xauthentication" != "no" ] && case "$Xserver" in
     --tty|--weston|--kwin|--hostwayland) Xauthentication="no" ;;
     *)
       xtool --check xauth || {
@@ -9590,12 +9616,12 @@ check_options_interferences() { # check multiple option interferences, change se
       SECURITY RISK!
   Your X server would be accessible over network without authentication!
   That could be abused to take control over your system.
-  You can disable cookie authentication with discouraged option --no-auth."
+  You can disable cookie authentication with discouraged option --xauth=no."
           ;;
           no|"")
             warning "Command 'xauth' not found.
   Securing X access with cookie authentication is not possible.
-  Fallback: Disabling X authentication protocol (option --no-auth)."
+  Fallback: Disabling X authentication protocol (option --xauth=no)."
             check_fallback
           ;;
         esac
@@ -9761,8 +9787,8 @@ check_options_interferences() { # check multiple option interferences, change se
         }
       }
       check_optionset "--tty" "--border --clipboard --composite --desktop --display --dpi
-                               --fullscreen --keymap --no-auth --output-count --rotate
-                               --scale --size --vt --wm --westonini --xc --xfishtank
+                               --fullscreen --keymap --output-count --rotate
+                               --scale --size --vt --wm --westonini --xauth --xc --xfishtank
                                --xhost --xonly --xoverip --xtest" ||:
     ;;
     --hostdisplay)
@@ -10570,7 +10596,7 @@ declare_variables() {           # declare global variables
   Screensize=""                                   # --size XxY: Display size
   Setupwayland="no"                               # --wayland, --kwin, --weston --hostwayland: Provide a Wayland environment
   Waylandtoolkitenv="XDG_SESSION_TYPE=wayland GDK_BACKEND=wayland QT_QPA_PLATFORM=wayland CLUTTER_BACKEND=wayland SDL_VIDEODRIVER=wayland ELM_DISPLAY=wl ELM_ACCEL=opengl ECORE_EVAS_ENGINE=wayland_egl"
-  Xauthentication="yes"                           # --no-auth: use cookie authentication and disable xhost yes/no
+  Xauthentication="yes"                           # --xauth: cookie authentication
   Xaxis=""                                        # Virtual screen width
   Xcomposite=""                                   # --xcomposite: +extension COMPOSITE yes/no
   Xkblayout=""                                    # --keymap: Layout for keymap, compare /usr/share/X11/xkb/symbols