System
xhost
Control X server access permissions.
Additional Notes
xhost manages the access control list (ACL) for the X server. It controls which clients (hosts or users) are allowed to connect to the X display. The default configuration typically allows only local connections from the same user.
The modern and more secure approach to X11 access control is xauth (MIT-MAGIC-COOKIE authentication), where each client must present a matching cookie. Using xhost + (allow all connections) is a security risk and should be avoided except for testing or trusted local networks.
Syntax
xhost [options] [hostname...]
Parameters
+hostname: Add a host to the access control list.-hostname: Remove a host from the access control list.+: Disable all access control (allow all connections).-: Enable access control (default, requires authentication).
Common Options
+SI:username: Add access for a specific user on any host.-SI:username: Remove access for a specific user.+local:username: Allow connections from the local machine for a specific user.-local:username: Disallow local connections for a specific user.
Examples
xhost
Show the current access control status and allowed hosts.
xhost +SI:localuser:alice
Allow user alice to connect from the local machine.
xhost +192.168.1.100
Allow connections from IP 192.168.1.100.
xhost -
Enable access control (reject connections without a valid cookie).
xhost +
Disable all access control. Security risk. Only use in isolated environments.
Practical Notes
- Running
xhost +allows anyone on any network to connect to your X display and capture keystrokes or screen contents. - Use
xauthfor secure authentication instead of relying solely on host-based control. - Access control changes only affect future connections; existing connections are not dropped.
- On Wayland,
xhostdoes not apply (Wayland uses different security models). - The
ssh -Xandssh -Yoptions handle X11 access automatically using xauth cookies.