xhost命令以及DISPLAY环境变量

Cited from http://space.itpub.net/14210591/viewspace-414931

1. xhost [[+-]name ...]  (server access control program for X)
options:
    -help   Prints a usage message.
    [+]name The given name(the plus sign is optional) is added to the list allowed to connect to the X server.  The name can be a host name or a user name.
    -name   The given name is removed from the list of allowed to connect to the server. The name can be a host name or a user name. Existing  connections  are not broken, but new connection attempts will be denied. Note that the current machine is allowed to be removed; however, further connections (including attempts to add it back) will not be permitted. Resetting the server (thereby breaking all connections) is the only way to allow local connections again.
    +       Access is granted to everyone, even if they aren’t on the list (i.e., access control is turned off).
    -       Access is restricted to only those on the list (i.e., access control is turned on).
    nothing If no command line arguments are given, a message indicating whether or not access control is currently enabled is printed, followed by the list of those allowed to connect.  This is the only option that may be used from machines other than the controlling host.
2. DISPLAY 环境变量
    在Linux/Unix类操作系统上, DISPLAY用来设置将图形显示到何处. 直接登陆图形界面或者登陆命令行界面后使用startx启动图形, DISPLAY环境变量将自动设置为:0:0, 使用xdpyinfo可以查看当前显示的详细信息
    DISPLAY 环境变量格式如下host:NumA.NumB, host指Xserver所在的主机主机名或者ip地址, 图形将显示在这一机器上, 可以是启动了图形界面的Linux/Unix机器, 也可以是安装了Exceed, X-Deep/32等Windows平台运行的Xserver的Windows机器. 如果Host为空, 则表示Xserver运行于本机, 并且图形程序(Xclient)使用unix socket方式连接到Xserver, 而不是TCP方式. 使用TCP方式连接时, NumA为连接的端口减去6000的值, 如果NumA为0, 则表示连接到6000端口; 使用unix socket方式连接时则表示连接的unix socket的路径, 如果为0, 则表示连接到/tmp/.X11-unix/X0. NumB则几乎总是0.
    如果使用su username或者su - username切换到别的用户, 并且使用命令
        export DISPLAY=:0.0
    设置DISPLAY环境变量, 运行图形程序(如xclock)时会收到如下错误:
        Xlib: connection to ":0.0" refused by server
        Xlib: No protocol specified
        Error: Can't open display: :0.0
    这是因为Xserver默认情况下不允许别的用户的图形程序的图形显示在当前屏幕上. 如果需要别的用户的图形显示在当前屏幕上, 则应以当前登陆的用户, 也就是切换身份前的用户执行如下命令
        xhost +
    这个命令将允许别的用户启动的图形程序将图形显示在当前屏幕上.
3. 配置运行远程服务器的图形程序
    a.服务器端配置文件/etc/ssh/sshd_config中修改
        X11Forwarding no  #禁止用户运行远程主机上的X程序
    b.客户端配置文件/etc/ssh/ssh_config
        ForwardX11 yes  设置X11连接是否被自动重定向到安全的通道和显示集（DISPLAY set）
    c.设置本地机器的Xserver监听相应的TCP端口. 而现在的Linux系统出于安全的考虑, 默认情况下不再监听TCP端口. 可通过修改/etc/X11/xinit/xserverrc文件, 将
        exec /usr/bin/X11/X -dpi 100 -nolisten tcp  #dpi(dots per inch)-像素
       修改为
        exec /usr/bin/X11/X -dpi 100
       允许在直接使用startx启动图形时启动对TCP端口的监听.
    或者登陆窗口选择"Options" -> "Configure Login Manager..."的Security页面, 取消"Deny TCP connections to Xserver"
参考链接：
命令参考大全，卷 6，v - z - xhost 命令 http://study.chyangwa.com/IT/AIX/aixcmds6/xhost.htm
Linux下DISPLAY环境变量的作用 http://unix-cd.com/unixcd12/article_6842.html
sshd_config配置文档 http://bbs.5y6s.com/htm_data/20/0710/9516.html
ssh_config 文件配置详解 http://blog.chinaunix.net/u1/35016/showart_494442.html
Enabling X11 Access Control (Fixing xhost +) -> http://www.phy.bnl.gov/cybersecurity/old/xhost_plus.html

 

X Window System http://en.wikipedia.org/wiki/X_Window_System

Xserver,DISPLAY,Xhost http://hi.baidu.com/maydayuiui/blog/item/996b1d2da86c6de58b139913.html