Documentation: Handling X11 authorization with CLX

Summary: use the function EXT:OPEN-CLX-DISPLAY instead of XLIB:OPEN-DISPLAY to establish a connection with your X11 server.

To prevent malicious users from snooping on an display (and logging keystrokes for example), X11 servers may require connection requests to be authorized. The X server (or display manager) will create a random key on startup, and store it as an entry in a file generally named $HOME/.Xauthority. Clients must extract from this file the "magic cookie" that corresponds to the server they wish to connect to, and send it as authorization data when opening the display. Users can manipulate the contents of the .Xauthority file by using the xauth command.

Most X11 programs use the xlib libraries, which transparently extract magic cookie information when establishing a connection with the X server. The old CLX code base does not have support for MIT-MAGIC-COOKIE-1 authorization, so CLX programs may be rejected by the X server. One workaround is to say xhost +localhost, to allow unauthorized X11 connections that originate from the local host. A better solution is to change CLX programs to use the CMUCL function EXT:OPEN-CLX-DISPLAY instead of XLIB:OPEN-DISPLAY to establish connections to your X11 server. This function is able to extract X11 authorization cookies from your XAUTHORITY file and present them to the X server.

As far as we know, support for X11 authorization has not been integrated to the CLX code distributed by the commercial Common Lisp vendors.

Parsing the DISPLAY environment variable

A further problem with the standard CLX function XLIB:OPEN-DISPLAY is that it doesn't correctly extract the display number from the DISPLAY environment variable. This is a problem you might run into when using CLX on an ssh-forwarded X11 session. Indeed, ssh typically sets $DISPLAY to remotehost:10, and forwards port 6010 on the remote host to port 6000 (or whatever port the local X11 server is running on) on the local host. CLX will unsuccessfully try to connect to remotehost:0.

The function EXT:OPEN-CLX-DISPLAY parses a display specifier (which defaults to the contents of the DISPLAY environment variable) to extract the display and screen numbers, so should automatically work for ssh-forwarded X11 sessions.

by Eric Marsden