How to set up the X-Windows MIT-MAGIC-COOKIE-1 authorization scheme. Document version 2.0 - 01/30/97 by Jonathan Simantov Why do you need to run an X authorization scheme? Simple. If you don't, and you just use host-based authorization scheme, there's nothing stopping users on your system from running a program such as xkey and logging your keystrokes.... which is a Very Bad Thing(tm). Also, it's very easy and shouldn't pose a problem if done correctly. However, you don't need to do anything this document says if you run xdm, the X display manager. Furthermore, the steps in this document are meant for systems where a single user will be running X -- otherwise, xdm should be used. The first thing you'll have to do is run the "xauth" program as root. Xauth simply creates the "Magic Cookie," which is a long hexadecimal number that the X server asks for before it allows anything to connect. When you run xauth for the first time it should look something like this: xauth: creating new authority file /home/locutus/.Xauthority Using authority file /root/.Xauthority xauth> Now, think up a good 100-digit or so hexadecimal number. Don't worry, you won't have to remember it. It must consist of an even number of digits, however, and the more, the better. Make sure it isn't easy to guess, though. At the "xauth>" prompt, type: xauth> add :0 MIT-MAGIC-COOKIE-1 ^^^^^^^^^^ With that large (100-digit or so) random hex number you decided on instead of . Then type "exit" at the prompt, and it will write the information to the .Xauthority file in root's homedir. Copy this file to the home directory of the user who should be allowed to use the X server and to /etc/X11/Xauthority. Make sure /etc/X11/Xauthority is mode 600 and owned by root, and make sure that the copy you've made is readable by the user (either by changing the ownership or making it mode 644). Okay, now that you have created the magic cookie, you have to tell the X server to look for it. Edit /usr/X11/bin/startx. Locate the line that says: serverargs="" and change it to: serverargs="-auth /etc/X11/Xauthority" This will make the "startx" script pass the "-auth" paramater to the X server with the Xauthority file. This is what makes the X server request the magic cookie from any clients. That's about it. If you are in X, kill the server and restart it, and it *should* work. If it doesn't, feel free to mail me at: reptile@interport.net or root@reptile.net and I'll come to your rescue... :) (Thanks to Mark Whitis for pointing out a potential security problem in version 1.1 of this document.)