Incorrect Security Information - Docker GUI

asked 2018-05-31 19:05:10 -0500

rschaefer2 gravatar image

http://wiki.ros.org/docker/Tutorials/GUI

This post says:

A better option is opening up xhost only to the specific system that you want, for instance if you are running a container on the local host's docker daemon with container's ID stored to the shell variable containerId

xhost +local:`docker inspect --format='{{ .Config.Hostname }}' $containerId` docker start $containerId

This will add the container's hostname to the local family's list of permitted names.

I believe this is incorrect. Adding xhost local:$(containerId) allows any local connection, not just that of the docker container. From man xhost

The local family specifies all the local connections at once. However, the server interpreted address "si:localuser:username" can be used to specify a single local user. (See the Xsecurity(7) manual page for more details.)

Running xhost +local:put-any-string-here will allow the docker image, as well as any other local connection to connect with X11. The article implies that this is safer than doing xhost +local:root, but it is not.

You can test this by running

xhost +local:test-user
xhost
xhost -local:not-test-user
edit retag flag offensive close merge delete

Comments

1

If you feel what the wiki states if incorrect, then I think it would be good if you could update it to something that would be correct. The wiki is a wiki, so after registering for an account you can edit it.

gvdhoorn gravatar imagegvdhoorn ( 2018-06-01 08:07:59 -0500 )edit

here, here! I'f you'd like to clarify this point, feel free to update the wiki. I think the original intent was to annotate the permission so users could determine the container they added the xhost exception for.

ruffsl gravatar imageruffsl ( 2018-06-19 14:36:01 -0500 )edit