xhost - server access control program for X
xhost accepts the following command line options described
below. For security, the options that effect access control
may only be run from the "controlling host". For
workstations, this is the same machine as the server. For
X terminals, it is the login host. Prints a usage message.
The given name (the plus sign is optional) is added
to the list allowed to connect to the X server. The name
can be a host name or a user name. The given name is
removed from the list of allowed to connect to the server.
The name can be a host name or a user name. Existing connections
are not broken, but new connection attempts will
be denied. Note that the current machine is allowed to be
removed; however, further connections (including attempts
to add it back) will not be permitted. Resetting the
server (thereby breaking all connections) is the only way
to allow local connections again. Access is granted to
everyone, even if they are not on the list (that is,
access control is turned off). Access is restricted to
only those on the list (that is, access control is turned
on). If no command line arguments are given, a message
indicating whether or not access control is currently
enabled is printed, followed by the list of those allowed
to connect. This is the only option that may be used from
machines other than the controlling host.
The xhost program is used to add and delete host names or
user names to the list allowed to make connections to the
X server. In the case of hosts, this provides a rudimentary
form of privacy control and security. It is only
sufficient for a workstation (single user) environment,
although it does limit the worst abuses. Environments
which require more sophisticated measures should implement
the user-based mechanism, or use the hooks in the protocol
for passing other authentication data to the server.
Hostnames that are followed by two colons (::) are used in
checking DECnet connections; all other hostnames are used
for TCP/IP connections.
A complete name has the syntax "family:name" where the
families are as follows: Internet host DECnet host Secure
RPC network name Kerberos V5 principal contains only one
name, the empty string.
The family is case insensitive. The format of the name
varies with the family. For backward compatibility with
pre-R6 xhost, names that contain an at-sign (@) are
assumed to be in the nis family. Otherwise, the inet family
For each name added to the access control list, a line of
the form "name being added to access control list" is
printed. For each name removed from the access control
list, a line of the form "name being removed from access
control list" is printed.
to get the default host and display to use.
You cannot specify a display on the command line because
-display is a valid command line argument (indicating that
you want to remove the machine named "display" from the
The X server stores network addresses, not host names.
This is not really a bug. If somehow you change a host's
network address while the server is still running, xhost
must be used to add the new address and/or remove the old
X(1X), Xsecurity(1X), Xdec(1X), xdm(1X)
Bob Scheifler, MIT Laboratory for Computer Science,
Jim Gettys, MIT Project Athena (DEC).
[ Back ]