fix: Enable Xauth access control for X11 sessions

calsys456 · calsys456 · commit fc1234f158fd · 2025-12-05T14:11:01.000+08:00
Use Xauth instead of unsafe xhost +
diff --git a/data/scripts/Xsetup b/data/scripts/Xsetup
@@ -1,6 +1,2 @@
 #!/bin/sh
 # Xsetup - run as root before the login dialog appears
-
-# Allow all client connect to the Xorg server. Since our X server is started as
-# root, but sessions are started as user.
-xhost +
diff --git a/src/helper/UserSession.cpp b/src/helper/UserSession.cpp
@@ -82,8 +82,7 @@ namespace DDM {
             // If the Xorg display server was already started, write the passed
             // auth cookie to /tmp/xauth_XXXXXX. This is done in the parent process
             // so that it can clean up the file on session end.
-            if (env.value(QStringLiteral("XDG_SESSION_TYPE")) == QLatin1String("x11")
-                && m_displayServerCmd.isEmpty()) {
+            if (env.value(QStringLiteral("XDG_SESSION_TYPE")) == QLatin1String("x11")) {
                 // Create the Xauthority file
                 QByteArray cookie = helper->cookie();
                 if (cookie.isEmpty()) {
@@ -111,9 +110,7 @@ namespace DDM {
 
                 env.insert(QStringLiteral("XAUTHORITY"), m_xauthFile.fileName());
                 setProcessEnvironment(env);
-            }
 
-            if (env.value(QStringLiteral("XDG_SESSION_TYPE")) == QLatin1String("x11")) {
                 QString command;
                 if (env.value(QStringLiteral("XDG_SESSION_CLASS")) == QLatin1String("greeter")) {
                     command = m_path;
