Forwarding /tmp/.X11-unix/X0 and xauth cookie is not enough. xhost is also required.

Hello everyone,

I work in an LXD container as follows:

host: Leap 15.3 DE: XFCE
client: Tumbleweed

I forward the socket /tmp/.X11-unix/X0 from my host to my client. I also forward the .Xauthority file.
I check the output of xauth list and MIT-MAGIC_COOKIE-1 matches between the host and client. The user UID and name also match. It’s 1000. The container is privileged.

I’ve used a similar arrangement for a few years with different distros and it always worked for me. However, when I moved to openSUSE Leap, I got the following issue. When I open xclock, I get “no protocol specified” error and cannot connect to display :0

I’ve spent some time and found an extra step that lets me open xclock:


xhost +SI:localuser:<username>

My questions are below:

  1. Why is not the cookie sharing enough?
  2. If it’s not possible to make the cookie sharing work without xhost, how can I automate the execution of the xhost command at the session login? Where is the script running at the X11 session start? I tried /etc/X0.hosts and it seems to be ignored.

xhost is avoidable by using FamilyWild cookies.

I create a new .Xauthorithy file with this:

tmp1=$(mktemp)
xauth nlist "$DISPLAY" | sed -e 's/^..../ffff/' | xauth -f "${tmp1}" nmerge -

It does work. Nice, elegant solution. Thanks.