In message <16055.26888.771224.18789@matrix.netsoc.tcd.ie>, Aidan Kehoe writes:
>
>Hi, 
>
>[I would consider posting this to the XFree86 lists, but given the deafening
>silence that normally accompanies in-depth, obscure queries there, I'll try
>here first. Failing an answer, directions to a more suitable list with a bit
>of life in it would be welcome too.]
>
>

According to the XServer man page (I think I have 4.3.0 running):

       Authorization data required  by  the  above  protocols  is
       passed  to  the  server  in  a private file named with the
       -auth command line option.  Each time the server is  about
       to  accept the first connection after a reset (or when the
       server is starting), it reads this  file.   If  this  file
       contains  any authorization records, the local host is not
       automatically allowed  access  to  the  server,  and  only
       clients  which  send one of the authorization records con
       tained in the file in  the  connection  setup  information
       will  be  allowed  access.

In other words, if your Xauthority file is 0-length, it's not used, and 
the server falls back to host-based access control.

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)