Xauth is easy, the most common application is this:
Suppose you log in as user1, you want to allow user2 to be able to open the display of user1.
*
under <user1>:
$xauth list
Code:
<hostname>/unix:0 MIT-MAGIC-COOKIE-1 03f3300ed7caa12e87ebcc0c2d51516c
*
under <user2>:
Code:
$xauth add <hostname>/unix:0 MIT-MAGIC-COOKIE-1 03f3300ed7caa12e87ebcc0c2d51516c
Now in your case it is not using x auth mechanism, I see three reasons:
* you have a xhost + somewhere which removes all check
from <user1> try
and retry as <user2> to open a window
* your xserver is launched in mode 'no auth required' with option -ac.
try
* there is a link from <user2>/.xauthority to <user1>/.xauthority and <user2> has read access to <user1>/.xauthority. This is a big security risk. ( Only /root/.Xauthority could be linked to /home/user1/.Xauthority and as root has read access to this latter then it allows root to access the Xdisplay of user1)