Hi,

I am wondering if anyone knows what is the best way to run X apps in a chrooted environment, The X server(run before the chroot) refuse connection of X apps from within the chroot. I know this is an authentication issue but don't know how to solve it.

thanks and regards.

#DISPLAY=ip.ad.dr.ess:0.0
#export DISPLAY

thanks, I tried localhost:0.0 but it still didn't work. Could be that I need the xhost command as well before I chroot.

I normally type startx --:1 in the chrooted environment without any modifications whatsoever. The window should display in the eighth virtual terminal (vt8). As for the authentication issue, turn off x authentication in /etc/X11/xdm/xdm-conf, and you won't have to mess with xhost or xauth.If you use kdm or gdm, they each have a config file in /etc/X11/kdm/kdm-config or /etc/X11/gdm/gdm/gdm-config, respectively. Xauth uses authentication from your current enviroment, i think, so it might have flowed thru to the chroot enviroment, but I'm not totally sure of this. I normally turn it off at both ends to prevent this sort of thing for troubleshooting purposes. When done, you might want to turn it back on, if you desire the security of your X sessions.

I normally type startx --:1 in the chrooted environment without any modifications whatsoever. The window should display in the eighth virtual terminal (vt8). As for the authentication issue, turn off x authentication in /etc/X11/xdm/xdm-conf, and you won't have to mess with xhost or xauth.If you use kdm or gdm, they each have a config file in /etc/X11/kdm/kdm-config or /etc/X11/gdm/gdm/gdm-config, respectively. Xauth uses authentication from your current enviroment, i think, so it might have flowed thru to the chroot enviroment, but I'm not totally sure of this. I normally turn it off at both ends to prevent this sort of thing for troubleshooting purposes. When done, you might want to turn it back on, if you desire the security of your X sessions.

Thanks for the info. My situation is a bit odd. I started a VNC server from the hosting rootfs and vnc into it. Then I chroot into another rootfs and tried to run X apps there. The hosting rootfs in this case don't even have a session manager(xdm etc.). What is even more complicated, I need to "su" into a normal user in this chrooted environment first before running the X apps.

This whole authentication system of X is still very confusing to me. I googled around and it seems that I can mount --bind /tmp into the chroot so as to directly use the X socket created there.

At the moment, I just bypass all this and start the vnc server within the chrooted environment, but still learning how to do it as that seems to be a pretty standard requirment of chrooting into other rootfs(under X) and run X apps, so a proper solution will help in the future.

thanks for all the help, finally get some idea of how this X security works.

By default, X clients access ~/.Xauthority to find cookies in order to talk to X server.

In order to make scenarios like "su" then run some root only programs "xhost +local:" is needed as this would allow anyone on the same machine(or access to the /tmp/.X11-unix sockets) to connect to the running display.

For a chrooted environment, /tmp in chroot is different from /tmp in hosting so the above won't work. "xhost +localhost" is needed as that means any X apps running on the local machine(not depending on the rootfs anymore) can access the X server.

The above should be good enough for a workstation used by only one person. If one wants more security, it has to resort to using the 'xauth' command to extract the cookies then import into the destination ~/.Xauthority. Though this is still not encrypted in anyway.

If one need to access X apps on another machine, just add "xhost +hostname" but that would mean any X apps from hostname can access the running X server.

hope this will help others.

I've tried the methods suggested in this post and must be missing a step. I still get authority errors related to /home/knoppix/.Xauthority from the chrooted environment.

The xdm-config has 0 for an authentication value. Do I need to say "false" instead?

Thanks.

I've never actually started up X locally when remastering, I've always just started up VNC and then connected from a different computer

But I don't think that's what your trying to do here.