On Tue, Oct 24, 2023 at 3:46 PM Serge E. Hallyn <serge@xxxxxxxxxx> wrote: > Disabling them altogether would break lots of things depending on them, > like X :) (@/tmp/.X11-unix/X0). FWIW, X can connect over both filesystem-based unix domain sockets and abstract unix domain sockets. When a normal X client tries to connect to the server, it'll try a bunch of stuff, including an abstract unix socket address, a filesystem-based unix socket address, and TCP: $ DISPLAY=:12345 strace -f -e trace=connect xev >/dev/null connect(3, {sa_family=AF_UNIX, sun_path=@"/tmp/.X11-unix/X12345"}, 24) = -1 ECONNREFUSED (Connection refused) connect(3, {sa_family=AF_UNIX, sun_path="/tmp/.X11-unix/X12345"}, 110) = -1 ENOENT (No such file or directory) [...] connect(3, {sa_family=AF_INET, sin_port=htons(18345), sin_addr=inet_addr("127.0.0.1")}, 16) = 0 connect(3, {sa_family=AF_INET6, sin6_port=htons(18345), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = 0 connect(3, {sa_family=AF_INET6, sin6_port=htons(18345), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=htonl(0), sin6_scope_id=0}, 28) = -1 ECONNREFUSED (Connection refused) connect(3, {sa_family=AF_INET, sin_port=htons(18345), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ECONNREFUSED (Connection refused) And the X server normally listens on both an abstract and a filesystem-based unix socket address (see "netstat --unix -lnp"). So rejecting abstract unix socket connections shouldn't prevent an X client from connecting to the X server, I think.