1.) Assuming I understood your question correctly... yes.
By default, when sshd is proxying a X connection from the X application, it accepts X connections from localhost (= the Linux system in your scenario) only.
The sysadmin can allow other kinds of use by setting the /etc/ssh/sshd_config parameter X11UseLocalhost to "no"; the default setting is "yes". Normal users cannot change this setting.
2.) If there is no requirement to make outgoing connections from your Linux server to ports 6000-6100 of some other server, then go ahead. If such a requirement exists, you should create a more specific rule that allows traffic to the required port of the required server only, and prefix that to the rules I showed before. Since that port is used by whatever legitimate service is running there, there cannot be a rogue X server at the same port on that particular host.
3.) Yes, one X server for one physical keyboard + mouse + screen combination is the rule. (There are exceptions like "multi-headed" X servers, but they are very rare.)
> one user can change the DISPLAY to direct to the other session, such that operation he does will be displayed on the other session screen.
There's also a requirement to pass the xauth key from one user to the other, or to use "xhost +". In my experience, very few users and surprisingly few sysadmins know how to do that.
But remember that you cannot block everything: your users can probably use the PrintScreen button on their workstations to grab screenshots of what they see, then share them by email or by USB memory sticks. Or they might simply talk to each other about what they've seen on their own screens.
If you have two groups of users that *absolutely* must be prevented from communicating with each other, then it might be simpler to just set up two separate servers in separate networks.
Or set up the system so that a regular user can only access the application, not a X11 GUI desktop nor a terminal session. That should cut away most of your "what if the user changes DISPLAY" worries: if the user has no access to a command prompt, much mischief becomes impossible.
For example: set up a small test in /etc/profile that checks the user ID. If the user does not belong to a group that allows command-line access, force-start the application. When the application process stops, end the session.
Something like this in /etc/profile should do it:
if id -nG | grep -q ' cmdline '; then
# user belongs to "cmdline" group
echo "Command line access authorized"
else
# not a member of "cmdline" group:
# force the start of some-X-application,
# end the session when it exits.
some-X-application
exit $?
fi
MK
MK
