Mark Seaborn
2008-06-08 10:39:46 UTC
Hi Mark,
I've recently been researching X11 security in order to write a simple wrapper
that would run X applications (e.g., mostly complex network clients such as
firefox) as an unprivileged user with an untrusted X authorization cookie.
This doesn't work nearly as well as I would like it to. Some applications
crash (e.g., firefox with adobe's flash plugin), and I can't get selections to
work between trusted and untrusted applications (e.g., firefox and a Vim
session), despite tweaking with the security policy for the (legacy) SECURITY
extension.
When I found your wiki notes on X11 security I realized you've probably done
as much in-depth research on this problem as anyone else I have come across.
Your approach is very interesting, and seems to be the most practical way to
achieve seamless yet safe integration between X11 applications at different
privilege levels. The XSELinux approach is a bit overkill for my purposes (I
don't really like the complexity of SELinux) and I haven't yet looked closely
enough at xtsol.
Anyhow, I noticed the last commits to the X11 proxy directory happened around
three months ago, and the wiki page seems to indicate the work is at a pretty
early stage.
1) What is the status of the X11 proxy you are developing? Do you have an
estimate to how long before it is usable?
As an X11 message encoding/decoding library it does a lot, but as anI've recently been researching X11 security in order to write a simple wrapper
that would run X applications (e.g., mostly complex network clients such as
firefox) as an unprivileged user with an untrusted X authorization cookie.
This doesn't work nearly as well as I would like it to. Some applications
crash (e.g., firefox with adobe's flash plugin), and I can't get selections to
work between trusted and untrusted applications (e.g., firefox and a Vim
session), despite tweaking with the security policy for the (legacy) SECURITY
extension.
When I found your wiki notes on X11 security I realized you've probably done
as much in-depth research on this problem as anyone else I have come across.
Your approach is very interesting, and seems to be the most practical way to
achieve seamless yet safe integration between X11 applications at different
privilege levels. The XSELinux approach is a bit overkill for my purposes (I
don't really like the complexity of SELinux) and I haven't yet looked closely
enough at xtsol.
Anyhow, I noticed the last commits to the X11 proxy directory happened around
three months ago, and the wiki page seems to indicate the work is at a pretty
early stage.
1) What is the status of the X11 proxy you are developing? Do you have an
estimate to how long before it is usable?
X11 security proxy it doesn't. It implements some special-case
restrictions such as blocking grabs, but it does not yet implement the
general-case restriction of checking X resource IDs. Making it check
resource IDs will slow it down a lot and it may be necessary to
compile these checks to C to make the proxy usable.
I have since found a tool which should be able to provide most of the
X security requirements very quickly: Xpra. It takes quite a
different approach to my X proxy. It runs applications under a
separate X server (Xvfb). It forwards window contents to the real X
server, and forwards keyboard and mouse input and window positions in
the other direction to the Xvfb server. It was not originally
intended a security tool, but as an X equivalent of "screen".
See <http://partiwm.org> and
<http://lists.partiwm.org/pipermail/parti-discuss/2008-April/000014.html>.
I am not actively working on the X proxy, so I can't say when it will
be usable. I will probably try improving Xpra first.
What security properties are you interested in? Preventing input
injection, for example, is much easier than preventing keyboard
snooping. Preventing denial of service is hard. You might want to
stop applications from stealing the input focus, for example, which
really requires window mangaer support; it can't easily be done by
Xpra or an X proxy on its own.
2) When the X11 proxy is functional, would it be possible to use it
independently of plash?
Yes. In fact I haven't used it with Plash yet.independently of plash?
3) Will secure selections between trusted and untrusted applications be
possible?
I believe it will be possible to forward the X selection betweenpossible?
trusted and sandboxed applications with the X proxy or Xpra. x2x and
Synergy already do this.
The harder part is what it might mean to do that securely. There are
some notes on the wiki about that:
<http://plash.beasts.org/wiki/TrustedPathButtons>
and a thread here:
<http://lists.laptop.org/pipermail/security/2008-April/000391.html>.
In brief, doing copy and paste via the keyboard shortcuts Ctrl-C and
Ctrl-V can be made secure without changing X applications, but making
Copy and Paste menu items secure will require modifying applications.
4) Do you know of a workaround that will enable copy and paste between two
unmodified X11 clients one of which is running as trusted and one which
isn't?
With the X Security extension? I don't know. There is probably nounmodified X11 clients one of which is running as trusted and one which
isn't?
workaround in this context because the selection protocol requires
writing to properties on another client's window.
5) I can configure the legacy SECURITY SecurityPolicy to allow access
to cut buffers so I'm thinking maybe there might be a way (e.g.,
LD_PRELOAD?) to convert selections to cut buffers. Do you think that
might work?
It seems unlikely. I don't think cut buffers are used much, and theyto cut buffers so I'm thinking maybe there might be a way (e.g.,
LD_PRELOAD?) to convert selections to cut buffers. Do you think that
might work?
are fairly different from selections.
Cheers,
Mark