From owner-freebsd-x11@FreeBSD.ORG Fri Apr 17 03:57:02 2009 Return-Path: Delivered-To: x11@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DABE1065674 for ; Fri, 17 Apr 2009 03:57:02 +0000 (UTC) (envelope-from ewalsh@tycho.nsa.gov) Received: from zombie2.ncsc.mil (zombie2.ncsc.mil [144.51.88.133]) by mx1.freebsd.org (Postfix) with ESMTP id 157548FC12 for ; Fri, 17 Apr 2009 03:57:01 +0000 (UTC) (envelope-from ewalsh@tycho.nsa.gov) Received: from facesaver.epoch.ncsc.mil (jazzdrum.ncsc.mil [144.51.5.7]) by zombie2.ncsc.mil (8.12.10/8.12.10) with ESMTP id n3H3i1pZ019617; Fri, 17 Apr 2009 03:44:15 GMT Received: from moss-huskies.epoch.ncsc.mil (moss-huskies.epoch.ncsc.mil [144.51.25.7]) by facesaver.epoch.ncsc.mil (8.13.1/8.13.1) with ESMTP id n3H3hs7p031839; Thu, 16 Apr 2009 23:43:54 -0400 Message-ID: <49E7FAFA.3010900@tycho.nsa.gov> Date: Thu, 16 Apr 2009 23:43:54 -0400 From: Eamon Walsh User-Agent: Thunderbird 2.0.0.21 (X11/20090320) MIME-Version: 1.0 To: Chris Palmer References: <7E3B942D6F9AE64EA28CE80B7283C1EC212C0D872C@exch01.isecpartners.com> In-Reply-To: <7E3B942D6F9AE64EA28CE80B7283C1EC212C0D872C@exch01.isecpartners.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.1 required=3.5 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.1.8 X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on facesaver.epoch.ncsc.mil Cc: "x11@freebsd.org" Subject: Re: X SECURITY extension gone in latest Xorg; XACE not working? X-BeenThere: freebsd-x11@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: X11 on FreeBSD -- maintaining and support List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Apr 2009 03:57:02 -0000 Chris Palmer wrote: > Hello, > > With a recent build of FreeBSD ports (I am on FreeBSD 7), the X SECURITY extension is nonexistent, and its functionality is missing. For example, "ssh -X" is equivalent to "ssh -Y", "xauth -f foo generate :0.0 . untrusted" doesn't work, and so on. I am developing a program (http://code.google.com/p/isolate) that depends on being able to put X clients in the "untrusted" group. I dimly understand that XACE is supposed to replace the old SECURITY extension with new and more exciting (but compatible) behavior, but currently, I get no joy either way. > > On OpenBSD 4.4 and Ubuntu 8.10, SECURITY still works; I assume it's because their builds are old enough to not have whatever recent changes were made. > > In the configure script for the xorg-server port, I found an option to re-enable SECURITY, and it appears to mostly work. But normal people are not going to do that, and so won't get the security features of the extension. > > Any clues, explanations of how I'm missing something, et c., greatly appreciated. Thanks! > > > The SECURITY extension is still present in the upstream source. In 2007 it was rebased on top of XACE (which is a security hook framework somewhat like Linux LSM) and it looks like at that time the default configuration was changed to not compile it. It could be re-enabled upstream, by the distro, or by compiling from source. I ran the untrusted scrot, xspy, and xeyes tests shown at the link above on Xorg compiled from git. They all worked as expected, except for xeyes, which was able to access the Shape extension in untrusted mode. I fixed it upstream to only allow untrusted clients to access the BIG-REQUESTS, XC-MISC, and XPrint extensions, which was the original behavior. If I may suggest, a good alternative to SECURITY for sandboxing applications is to run a nested X server, such as Xephyr, and have the isolated X client connect to it. This has the advantage of giving the client full run of the display. Hope this helps! -- Eamon Walsh National Security Agency