From owner-freebsd-questions@freebsd.org Wed Oct 9 22:16:02 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 347831313B4 for ; Wed, 9 Oct 2019 22:16:02 +0000 (UTC) (envelope-from per@hedeland.org) Received: from mailout.easydns.com (mailout.easydns.com [64.68.202.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46pT7j04fQz45xb for ; Wed, 9 Oct 2019 22:16:00 +0000 (UTC) (envelope-from per@hedeland.org) Received: from localhost (localhost [127.0.0.1]) by mailout.easydns.com (Postfix) with ESMTP id E765AC5FAB; Wed, 9 Oct 2019 22:15:59 +0000 (UTC) Received: from mailout.easydns.com ([127.0.0.1]) by localhost (emo12-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZpwndfZ7EqQN; Wed, 9 Oct 2019 22:15:59 +0000 (UTC) Received: from hedeland.org (81-228-157-209-no289.tbcn.telia.com [81.228.157.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout.easydns.com (Postfix) with ESMTPSA id 010B0C590D; Wed, 9 Oct 2019 22:15:56 +0000 (UTC) Received: from pluto.hedeland.org (pluto.hedeland.org [10.1.1.5]) by tellus.hedeland.org (8.15.2/8.15.2) with ESMTPS id x99MFsYF029571 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 10 Oct 2019 00:15:54 +0200 (CEST) (envelope-from per@hedeland.org) Subject: Re: accessing the host's X server from inside chroot To: Arthur Chance Cc: Kostas Oikonomou , freebsd-questions@freebsd.org References: <0f7f3a8c-9b5d-c9cf-2bed-9f534216a441@hedeland.org> <4c51f911-3bc7-7f50-45ba-c6f78af1b5ee@qeng-ho.org> From: Per Hedeland Message-ID: Date: Thu, 10 Oct 2019 00:15:54 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <4c51f911-3bc7-7f50-45ba-c6f78af1b5ee@qeng-ho.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 46pT7j04fQz45xb X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of per@hedeland.org has no SPF policy when checking 64.68.202.10) smtp.mailfrom=per@hedeland.org X-Spamd-Result: default: False [0.01 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; NEURAL_HAM_MEDIUM(-0.76)[-0.760,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; IP_SCORE(0.59)[ip: (1.35), ipnet: 64.68.200.0/22(-0.10), asn: 16686(1.81), country: CA(-0.09)]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[hedeland.org]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-0.73)[-0.726,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[10.202.68.64.list.dnswl.org : 127.0.5.0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:16686, ipnet:64.68.200.0/22, country:CA]; FREEMAIL_CC(0.00)[att.net]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[209.157.228.81.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Oct 2019 22:16:02 -0000 On 2019-10-09 18:07, Arthur Chance wrote: > On 09/10/2019 14:18, Per Hedeland wrote: >> On 2019-10-09 01:45, Kostas Oikonomou wrote: >>> I am running FreeBSD 12.0p10. Using chroot, I am trying to run a browser >>> (palemoon) located in /opt/devuan, which contains a Devuan Linux >>> distribution >>> installed with 'debootstrap'. My objective is for the browser to use >>> the host's >>> (FreeBSD) >>> X server, not the Devuan one. >>> >>> I've added my FreeBSD user name as a Devuan user, home in >>> /opt/devuan/home. >>> Now I try things like >>> >>> sudo chroot -u /opt/devuan home/palemoon/palemoon >>> >>> but I cannot get past the error >>> >>> Error: cannot open display: :0.0 >> >> The display name :0.0 corresponds to a unix domain socket, typically >> /tmp/.X11-unix/X0, which you of course can't reach after a chroot. By >> setting the environment $DISPLAY to localhost:0.0, a TCP connection >> should be made instead, but these days the X server doesn't listen for >> TCP connections by default. If you start X with startx(1), it should >> be possible to pass it '-- -listen tcp' to make the server listen for >> TCP connections, see the respective man pages. >> >> Doing this has some security implications though, since the X server >> will then listen on the wildcard address, and it will thus be possible >> to connect to it over the network - I didn't see a way to make it >> listen only on the localhost/loopback address. Authorization is still >> required to actually do anything with the server - unless, of course, >> you turn it off with "xhost +". > > If you run the host X server with -listen tcp and and set the DISPLAY > variable in the chroot to localhost:0.0 I think you should be able to > connect if you either 1) copy the FreeBSD level home directory's > .Xauthority to the chroot's home directory or 2) run "xhost +localhost" > at the host level before connecting. Agreed, I didn't go into the details of how to actually make the authorization work in this scenario. I would say that copying .Xauthority is the preferred way since it keeps the authorization, but while "xhost +localhost" disables it for connections from localhost, it is probably "good enough". --Per