Changed mit magic cookie behavior – x11vnc now needs explicit auth info

Topic: Changed mit magic cookie behavior – x11vnc now needs explicit auth info (Read 883 times) previous topic - next topic

0 Members and 2 Guests are viewing this topic.

Changed mit magic cookie behavior – x11vnc now needs explicit auth info

29 July 2023, 13:59:18

Hi all,

for quite some years, I accessed a machine (first Gentoo, now Artix since a year or so) using x11vnc. I create an ssh tunnel and start the x11vnc server. For years, it worked like that:

Code: [Select]

ssh -t -L 5900:localhost:5900 user@remote \
    'x11vnc -rfbauth ~/.vnc/passwd -localhost -display :0 -geometry 1728x972 -nomodtweak'

Essentially, the x11vnc call strips down to

Code: [Select]

x11vnc -display :0

Now, x11vnc would not start anymore like this. I tried to track it down.

Sitting in front of the remote machine, I could start x11vnc simply by typing "x11vnc". But not remotely anymore. Also giving the explicit auth info doesn't work ("x11vnc -display :0 -auth ~/.Xauthority" – at least I think this should be the auth info – on my Gentoo machine, this works).

I could however start x11vnc as root using SDDM's magic cookie like this:

Code: [Select]

x11vnc -display :0 -auth $(find /var/run/sddm/ -type f)

Finally, I could figure out how to still start x11vnc remotely as a (logged in) user, by using a /tmp/xauth... file. Like that:

Code: [Select]

x11vnc -display :0 -auth $(find /tmp -name xauth\* -user $(whoami) -type f)

So, apparently, the xauth/magic cookie handling has changed recently?

~/.Xauthority seems to be stale, and the real info now seems to be located in /tmp/xauth_*? Nevertheless, "xauth info" still outputs ~/.Xauthority as "Authority file"?

Can anybody explain this? Thanks for all help!

Re: Changed mit magic cookie behavior – x11vnc now needs explicit auth info

Reply #1 – 29 July 2023, 15:30:23

I have no idea for the reason nor the energy to research it, (could be the new major sddm update has a bug, or could be yet some more "security" stuff like the self clearing clipboard thing cause X11 also updated), but basically the .Xauthority file in the user's own directory doesn't take precedence anymore, and/or is not longer valid if used externally.
You can of course try to play in xhost to see if something changes, just don't give root too much permissions. :-)
Related: https://forum.artixlinux.org/index.php/topic,5685.msg35718.html#msg35718

Re: Changed mit magic cookie behavior – x11vnc now needs explicit auth info

Reply #2 – 29 July 2023, 15:42:43

Quite interesting. Well, maybe the location of that file was changed without anybody (or at least me) noticing.

But why does "xauth info" still report "~/.Xauthority" as the "Authority file", when it should be "/tmp/xauth_something"?

Re: Changed mit magic cookie behavior – x11vnc now needs explicit auth info

Reply #3 – 29 July 2023, 16:50:43

Hmm, i looked now and for me it says /tmp/xauth_something
Try to move your .Xauthority file somewhere else, restart and see.
Is it exactly the same (checksum wise) as the one in /tmp or different, asking out of curiosity?

Re: Changed mit magic cookie behavior – x11vnc now needs explicit auth info

Reply #4 – 29 July 2023, 17:12:00

~/.Xauthority seems to be stale, the last change date is long before the last login. Consequently, the content is not the same.

Re: Changed mit magic cookie behavior – x11vnc now needs explicit auth info

Reply #5 – 29 July 2023, 17:24:43

Okay, this is interesting: If I open a console physically on the machine, xauth info reports /tmp/xauth_xxx as the location of the authority file.

If I open an ssh session to the same machine and the same, graphically logged in user, it reports ~/.Xauthority (and complains it would not exist, as I deleted it meanwhile).

Re: Changed mit magic cookie behavior – x11vnc now needs explicit auth info

Reply #6 – 29 July 2023, 19:46:55

do you have any export like this. try to echo this var

Code: [Select]

export XAUTHORITY="$XDG_RUNTIME_DIR/Xauthority" # This line will break some DMs.

in past many softwares including many DE where depending on this to be in user home dir.
I no longer use any DE so I can not confirm this still affect popular DE like KDE or gnome

EDIT: The path in my example is different, this is the path I use in my own pc, your system might be different. try:

Code: [Select]

ls $XAUTHORITY

Re: Changed mit magic cookie behavior – x11vnc now needs explicit auth info

Reply #7 – 29 July 2023, 20:02:24

But this won't point to the actual location below /tmp, will it?

Re: Changed mit magic cookie behavior – x11vnc now needs explicit auth info

Reply #8 – 30 July 2023, 02:32:16

I tried with this occasion to set it manually but then the DE doesn't load (which is still better than it looping and covering the tty's, hehe, happened last month on update of sddm/procps)
The file will not get created which begs the question, what is creating the cookie file and why would it sit only in /tmp?
This has to be sddm, really.

Re: Changed mit magic cookie behavior – x11vnc now needs explicit auth info

Reply #9 – 30 July 2023, 08:48:05

can these DE and package breaking be because of xwayland. take a look here
I use none of the affected package, so ...

Re: Changed mit magic cookie behavior – x11vnc now needs explicit auth info

Reply #10 – 30 July 2023, 10:57:08

I don't think that anything is actually broken. I think x11vnc simply looks in standard locations to acquire the cookie, and if the information is not found there, it can't start … so maybe, being in /tmp is the new standard location x11vnc simply doesn't know of yet?

Re: Changed mit magic cookie behavior – x11vnc now needs explicit auth info

Reply #11 – 31 July 2023, 22:11:46

For some reason beyond my comprehension, the decades old standard location of the xauth cookie has changed, but not consistently. SDDM users will definitely see it stored in /tmp/.

Re: Changed mit magic cookie behavior – x11vnc now needs explicit auth info

Reply #12 – 01 August 2023, 17:04:19

This definitely sucks … thanks for the insight however!

Well, after some headache, I did manage to get my remote stuff up and running again. But what about the xauth info output? Why do I get the actual location if I request it on a console physically located on the respective machine, but not if I login via ssh?

If I got the correct location this way, it would be way easier to parse xauth's output to extract the cookie than to guess what strange file could perhaps contain the correct information …

Re: Changed mit magic cookie behavior – x11vnc now needs explicit auth info

Reply #13 – 01 August 2023, 18:49:31

There might be a couple of ways to do this, a quick one would be to force symlink the /tmp cookie to ~/.Xauthority (the $XAUTHORITY variable should reveal the real cookie location) at the startup of the Xorg session with a script in ~/.config/autostart.

Re: Changed mit magic cookie behavior – x11vnc now needs explicit auth info

Reply #14 – 02 August 2023, 09:46:14

Hm, okay – on a local session, $XAUTHORITY actually contains the cookie location. But so does xauth info. $XAUTHORITY is empty for a remote session.

Basically, automatically creating a symlink to the real cookie on X startup seems to be a nice idea! I only fear this will interfere with future SDDM development decisions (who knows what they will do next) if it force-links to ~/.Xauthority …

So I think either, I would use another name (like ~/.xauth_info or whatever), or I simply stick to find it via $(find /tmp -name xauth\* -user $(whoami) -type f) for now. For the former, I would still have to pass explicit auth info to x11vnc …