Unless the user customizes ~/.xserverrc, xinit runs X via /etc/X11/xinit/xserverrc (even if the user does customize ~/.xinitrc). The default xserverrc contains: exec /usr/bin/X -nolisten tcp That is, xinit's "-auth" parameter is not passed to the X server. Suggest changing the contents to: #!/bin/sh exec /usr/bin/X -nolisten tcp "$@" (it's a script, too - it's not sourced) Check with XAUTHORITY= xhost which should fail when authorization is enabled. Note that there is pam_xauth for passing authorization cookies to other users.
I can confirm Debian has also changed it's xserverrc to: #!/bin/sh exec /usr/bin/X -nolisten tcp "$@" re: http://ftp.de.debian.org/debian/pool/main/x/xinit/xinit_1.2.0-2.diff.gz
Fixed in xinit-1.2.0-r4 (stabilize this one) and for ~arch users in 1.3.0-r1.
Arch teams, please test and mark stable: =x11-apps/xinit-1.2.0-r4 Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
x86 stable
amd64 done
ppc64 done
Stable for HPPA PPC.
arm stable
alpha/ia64/s390/sh/sparc stable, closing