Incorrect Security Information - Docker GUI
http://wiki.ros.org/docker/Tutorials/GUI
This post says:
A better option is opening up xhost only to the specific system that you want, for instance if you are running a container on the local host's docker daemon with container's ID stored to the shell variable containerId
xhost +local:`docker inspect --format='{{ .Config.Hostname }}' $containerId` docker start $containerId
This will add the container's hostname to the local family's list of permitted names.
I believe this is incorrect. Adding xhost local:$(containerId)
allows any local connection, not just that of the docker container. From man xhost
The local family specifies all the local connections at once. However, the server interpreted address "si:localuser:username" can be used to specify a single local user. (See the Xsecurity(7) manual page for more details.)
Running xhost +local:put-any-string-here will allow the docker image, as well as any other local connection to connect with X11. The article implies that this is safer than doing xhost +local:root
, but it is not.
You can test this by running
xhost +local:test-user
xhost
xhost -local:not-test-user
If you feel what the wiki states if incorrect, then I think it would be good if you could update it to something that would be correct. The wiki is a wiki, so after registering for an account you can edit it.
here, here! I'f you'd like to clarify this point, feel free to update the wiki. I think the original intent was to annotate the permission so users could determine the container they added the xhost exception for.