Replying now to [email protected]:
>[…] any
>application which uses the X server (ie. can access the tcp port
>or unix socket and has the correct xauth key […]
The default PF configuration blocks access to the ports, but only on
non-loopback interfaces.
https://github.com/openbsd/src/blob/master/etc/pf.conf
Again, I'm not an X11 expert, but it looks like the X auth file exists
because anyone can connect to these ports on localhost, so the file would
mediate it further. PF can match packets based on UIDs, but if I understand
pf.conf(5) correctly, it matches based on the user owning the listening
socket (which would be the dedicated X11 account) rather than the user that
tries to connect to the X server. The xauth(1) and Xsecurity(7) man pages
seem relevant, I'll have a deeper look at them later.
