Re: Chroot and X-Window applications

From: Nigel Wade (nmw_at_ion.le.ac.uk)
Date: 05/20/03 

Date: Tue, 20 May 2003 16:58:59 +0100

Erwan Becquet wrote:

> Hi everybody,
>
> I have a strange problem, I want to start programs
> from a chrooted tree. It works perfectly with non-x
> apps. But with X apps (emacs for example), I have an
> error "Cant Connect to X Server on :0". Same work
> perfecly without chroot.
>
> I think X-Window use some special place of the filesystem
> but I cant find what.
>
> I tried with a chroot on / and it works. But when I tried
> to copy whole tree on a subtree (like /tmp/jail), so I have
> under /tmp/jail : usr, var,etc, tmp, bin, sbin, home etc ...
> and try that, it fails.
>
> Has someone already encounter a similar problem ? Or maybe
> someone has a deep knowledge of X-Window mechanisms and could
> help me ?
>
> Thanks in advance.

If the X server is relying on xauth authorization then it needs access to
the .Xauthority file. Has this file been copied to the chroot jail? As a
simple test temporarily turn off X security with the command
'xhost +localhost' so any application on the localhost should be able to
connect. Don't forget to remove this loophole after the test with
'xhost -localhost'.

If your flavour of UNIX has a method of tracing system calls
(strace,truss,par etc), run the X application with tracing on and compare
the output from normal and chroot'd to see what files it's trying to access
which don't exist in the chroot jail. 

-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
            University of Leicester, Leicester, LE1 7RH, UK 
E-mail :    nmw@ion.le.ac.uk 
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555

Relevant Pages

  • Chroot and X-Window applications
    ... I have a strange problem, ... from a chrooted tree. ... But with X apps, ... I tried with a chroot on / and it works. ...
    (comp.security.unix)
  • Re: Chroot and X-Window applications
    ... >> I have a strange problem, ... >> apps. ... >server outside the chroot). ... If it got far enough to give him a "Can't connect" message, the libraries ...
    (comp.security.unix)
  • Re: bug in libc6
    ... > | install it into it's own little chroot containing whatever old libraries ... > Before I go off and do this, it occurs to me that running an X server ... > in chroot might be problematic. ... one machine and your apps on another. ...
    (Debian-User)
  • Re: BUG? atleast >=2.6.19-rc5, x86 chroot on x86_64
    ... for 10 days, and then chroot in, run ... the 32bit apps, and within hours of using, hardlock. ... Early AMD K8 platforms had a hardware bug that could have caused ...
    (Linux-Kernel)
  • Re: [RFC][PATCH 0/11] security: AppArmor - Overview
    ... You may filter out worms and script kiddies this way but in the end you are using obscurity (of filesystem layout, what the policy allows, how the apps are configured, etc) for security, which again, leads to a false sense of security. ... I was paying attention, thank you. ... So it may not be able to chroot during runtime but if you can't be sure that it starts in the chroot the argument still applies. ...
    (Linux-Kernel)