Smörgåsbord

Access remote X11 servers that have their TCP socket disabled

This happens to me regularly. Someone brings a machine along and I want to display some app, running on my machine, on their display. Networked X11 to the rescue, you say? No, their X11 server is started with ‘-nolisten TCP’ wich is the default on most modern Linux distros. Sadly, the TCP socket can’t be enabled ‘in-flight’ — if you decide you do fancy a TCP socket after all, you’ll have to restart your X server which may be a pain if you’re in the middle of something (besides, restarting is just plain uncool).
But there is a way to expose the Unix domain socket as a TCP socket, with the help of socat. The following examples all use bash, so if you run a different shell (if you don’t know, you probably aren’t) you may need to define environment variables differently.

Braindead Proof of Concept (BPOC)

Situation: You want to display an application running on a machine called w00t on another machine, called bling. There’s an X11 server running on bling, but it’s not configured to listen on any TCP socket. DNS is properly setup, so if you ping w00t from bling, you get replies from bling’s IP, and vice versa.

1. On bling, find the domain socket of bling’s X11 server. Have a look in /tmp/.X11-unix/. The socket’s name usually reflects its X server display number (which you can determine by running echo $DISPLAY in an xterm).
2. On bling, run something along the lines of
   socat TCP-LISTEN:6066 UNIX-CONNECT:/tmp/.X11-unix/X0
   This will open up TCP port 6066 on all of bling’s network interfaces, connecting it to the Unix domain socket of the X server.
3. In an xterm on bling, run xhost +. You have now opened up your X11 server to the whole wide world, a silly thing to do. Anyone with access to the TCP socket can now read your keystrokes, read your window contents, click your mouse buttons…
4. In an xterm on w00t, run DISPLAY="bling:66" xclock. You may have noticed that 66 = 6066 – 6000 and indeed, by convention the TCP port number for a certain display is its display number + 6000. Anyhow…. yay, a clock! It’s displayed on bling, but running on w00t.

Improvements

• You may have noticed that in the BPOC, you can use the display on bling only once. socat will allow only one client, and will exit once that client exits. In some situations, you may consider that a feature (it’s a one-time access grant), but in others you may not. If you want a reusable TCP socket, run something along the lines of
  socat TCP-listen:6066,fork,reuseaddr UNIX-CONNECT:/tmp/.X11-unix/X0 which forks off a socat process for every TCP connection.
• You may not want to expose a TCP socket on all interfaces. Maybe you only want to expose a socket on the LAN interface, or on the localhost interface (and wrap the packets in an SSH tunnel). Well, you can, using the ‘bind’ option:
  socat TCP-LISTEN:6066,bind=localhost UNIX-CONNECT:/tmp/.X11-unix/X0
  Now tunnel it over SSH. On w00t, run ssh -L 6011:localhost:6023 bling. Now localhost:6011 on woot is actually localhost:6023 on bling which is actually /tmp/.X11-unix/X0 on bling. So on w00t you can start an xclock with its display on bling by running DISPLAY="localhost:11" xclock.
• xhost + from the BPOC is braindead indeed. There are a couple things you could have done instead, there are good ways of tightening up your authorization scheme.
  • First off, you don’t really need to run xhost + if you properly set up X11 cookies, which you should. Here are some examples on using the xauth scheme, but take note: xauth generate will probably not work on recent X11 releases since the XSECURITY extension is disabled by default. Just use the same cookies on the client and the server.
  • Run xhost +w00t. That’s host-based authentication, which is stupid, but not as stupid as no authorization at all. Any user on w00t can now connect.
  • Suppose that on bling (of course!) you’d run xhost +SI:localuser:theuser with ‘theuser’ being the userID of the unix-user running the socat instance. Now from the point of view of the X server, any client connecting through socat will be coming from ‘theuser’ and will therefore be allowed access. Entertaining, but not much different from just running xhost +. It is something to keep in mind though! Many distros by default add the unix-user that started the X server to the authorization list. That user does not need a cookie. If you run socat as that user you will have the effect of running xhost + even if you run xhost -.
  • Just run a nested X11 server, such as Xnest or Xephyr. This way you put untrusted users in a sandbox, preventing them from snooping your keyboard and windows. It’s the X11 equivalent of a chroot.

Here’s a trick. Many laptop trackpads lack a middle mouse button. On a regular mouse input device, the middle mouse button is the scroll wheel, and when you press it down it emits a button event. In X11 this button event is used to paste the X selection buffer into the position right beneath the cursor (there lies sublime usability in this simple fact).
You can emulate a middle-mouse-button event by pressing the left and right mouse buttons at the same time. Since I lack the manual dexterity to do this on my tiny netbook trackpad I wanted to be able to do middle-mouse-button-paste with my keyboard. Well, that appeared to be easy to accomplish with the X11 Xtest extension for which the Xautomation collection includes a utility in the form of xte. If you’d enter xte 'mouseclick 2' in a terminal (within an X11 session, of course), you’d get the same effect as if you’d just pressed the middle mouse button. Only thing left is to add a keyboard shortcut to run this command; in my favourite window manager, XFCE, this can be done clickwise via the Settings Manager or simply by running something like xfconf-query -c xfce4-keyboard-shortcuts -p '/commands/custom/<Super>v' -s "xte 'mouseclick 2'". I can now paste my X selection buffer by pressing the funny ‘four-wobbly-squares key’ and ‘v’ simultaneously.

Today we talk usability. Specifically, desktop interaction differences between the X11 windowing system and the windowing systems that come with those operating systems you can actually buy in a shop downtown.

Select – Copy – Positionyourcursor – Paste

Say I’d like to copy some text from some window (which may or may not have the input focus) into some other window (which also may or may not have input focus). This action is commonly called ‘copy-paste’. Copy-paste. That sounds like two steps, doesn’t it?
Let’s say both windows are visible on the current desktop. Outside the of the X11 world – say, on a Windows machine, you’d have to undertake the following steps:

1. Drag-select the text in the first window.
2. Press ctrl-c or click edit/copy.
3. In the second window, click the position you where you want the text to be inserted.
4. Paste the text with ctrl-v or edit/paste.

This is not “copy-paste”. This is “select-copy-positionyourcursor-paste”. Here’s how you do it on X11:

1. Drag-select the text in the first window.
2. Hover over (you don’t need to click[*]) the position you want the text to be inserted at in the second window and paste by clicking with the middle mouse button.

There. Copy-paste. There are two atomic actions involved with that. You can’t get this down to less than two. You need to specify what you want to copy, and you need to specify where you want to paste it. The X11 engineers understood this. I entertain the thought that they must have valued my time as well, put two and two together, and that this why we have the X selection buffer on X11[**] that makes copy-paste really copy-paste.
(Read the footnote. I will show that not all is smooth in X11-land with respect to clipboards.)

Window focus

Whenever I venture out of X11-land there’s something else I dearly miss. It’s the ability of an inactive window to receive cursor input events when the cursor is on top of it. It’s immensely useful. Consider the following scenario.
Let’s say you’re browsing the web and you stumble upon a page which you want to discuss with a friend. It’s a long page, so there’s going to be some scrolling. You open up an instant messaging window to chat with your friend. You’re short on screen real estate so the IM window partly occludes the browser window. Meaning the IM window is on top of the browser window.
What you want to do now is to scroll occluded pieces of webpage text into view. But you also want to continue to see what you’re friend is saying. On Windows, you simply cannot. If you want to scroll the browser window, you’ll have to activate it, which means it will be raised, which means it will be above your IM window, which means you cannot see what your friend is typing. On X11, you can[*]. If your mouse cursor is over the browser window you can use the scroll wheel to scroll text into view, without the browser window being raised. Meaning your IM window is still on top, meaning you can still see what your friend is telling you. In fact, the IM window still has input focus so you can scroll the browser window and continue typing messages to your friend, limited only by your manual dexterity.
[Update: Added video to illustrate Windows behaviour][***]

Extravagance

If you think these situations are exotic, here’s and extravagant example for you. Open a file browser (Windows Explorer) window. Expand some folder trees in the left pane until you get a scroll bar in this pane. Navigate to a folder which has a lot of files (C:\Windows will do nicely) so the file pane also receives a scroll bar. You now have two panes, both with a scroll bar, within the same application. Thing is, you can only scroll in one of them at the time! If you want to look around in a “non-active” folder pane, you first have to click it. But don’t just click anywhere! You have to take special care to click it somewhere that doesn’t change your view in the file pane — better not click (near) one of the folders! Now suppose you’d like to scroll some files in the file pane into view. Better “activate” the file pane first then. Again, take extra special care: don’t just click anywhere in the file pane because then you may lose any previously made selection. It’s perverse, it really is. This is all happening inside one single application window. And the folder pane actually does notice when I hover over it (it underlines folders) so why can’t I scroll the view, then? Perverse. The OS is wasting my time.

Sloppy focus on Windows

I remember activating this on Windows 95 and it appears it still works. You can have crude ’sloppy focus’ on Windows. Just hex-edit your UserPreferencesMask in the Registry (Half of the times that I’m doing anything remotely interesting on Windows, I find myself entering hex values. Why is that.).
Refreshing as this may be, this will not help you with any of the above scenarios:

• In the copy-paste scenario, you still can’t specify insertion position and insert into that position in one single action.
• In the IM-while-browsing scenario, your IM window loses input focus when you scroll the web page in the browser window.
• Windows Explorer cursor behaviour stays just as perverse as it was with the standard click-to-focus model.

But hey, at least Windows users have some choice (provided they understand regedit.exe and hex). On OS-X, you don’t have a choice at all because Apple understands usability better than you do. For instance, Apple knows you head will explode if they’d give you the option of resizing your application windows by pulling any border or corner. You know very well that you will only want to resize your windows by grabbing the bottom right corner and will thank Apple for protecting you against yourself. (No, you’re not allowed to rebut until you’ve read and understand this mountain of insight and humour.)

Footnotes

[*] Actually, this is dependent on the focus policy. X11 itself does not specify the focus policy. X11 strives to provide mechanism, not policy. Policy is implemented by the window manager, and there are many window managers available for X11. A couple of them provide a ‘click to focus’ policy. Many of them provide ’sloppy focus’ and/or ‘focus follows mouse’ policies. This page has some concise definitions and elaborates on focus problems encountered the different models.

[**] Most window managers also have a ‘clipboard’, running in parallel with the X selection buffer. The clipboard only holds stuff you put there explicitly, whereas the X selection buffer holds whatever text you last selected anywhere in the X11 session. Furthermore, both clipboards usually only accept character data. So if you select and copy some pixels in drawing program A, you can’t paste them in drawing program B. Program A will have a private clipboard to hold pixel data, and B has one of its own, too. If you stay within the realm of one particular desktop environment with applications specific to this desktop environment, you may actually be able to use the clipboard inter-applicationwise for both text and binary data. But in general, you can’t. This plurality confuses the hell out of newcomers.

[***]A video demonstrating the Windows scroll focus issue: