D.2.2 Access Control Mechanisms

An access control mechanism controls which clients or applications have access to the X11 server. Only properly authorized clients can connect to the server; all others are denied access, and are terminated with the following error message.

Xlib: connection to hostname refused by server
Xlib: Client is not authorized to connect to server

The connection attempt logs to the server console as:

AUDIT: <Date Time Year>: X: client 6 rejected from IP 129.144.152.193 port 3485
	Auth name: MIT-MAGIC-COOKIE-1

There are two different types of access control mechanisms: user-based and host-based. (That is, one mechanism grants access to a particular user's account, while the other grants access to a particular host, or machine.) Unless the -noauth option is used with openwin, both the user-based access control mechanism and the host-based access control mechanism are active. For more information see "D.2.4 Manipulating Access to the Server" in this chapter.

D.2.2.1 User-Based Access

A user-based, or authorization-based mechanism allows you to give access explicitly to a particular user on any host machine. The user's client passes authorization data to the server. If the data match the server's authorization data, the user is allowed access.

D.2.2.2 Host-Based Access

A host-based mechanism is a general purpose mechanism. It allows you to give access to a particular host, in which all users on that host can connect to the server. This is a weaker form of access control: if that host has access to the server, all users on that host are allowed to connect to the server.

The Solaris environment provides the host-based mechanism for backward compatibility. Applications linked with versions of Xlib or libcps older than OpenWindows Version 2 software or X11R4 do not recognize the new user-based access control mechanism. To enable these applications to connect to the server, a user must either switch to the host-based mechanism, or relink with the newer versions of Xlib and libcps.

If possible, clients linked with older versions of Xlib or libcps should be relinked with newer versions of these libraries to enable them to connect to the server with the new user-based access control mechanism.