Date: Tue, 9 Apr 2024 09:44:02 +0200 From: Emmanuel Vadot <manu@bidouilliste.com> To: Jan Beich <jbeich@FreeBSD.org> Cc: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes Message-ID: <20240409094402.147972b37e03f594f3d7f588@bidouilliste.com> In-Reply-To: <o7am-stbh-wny@FreeBSD.org> References: <202404040955.4349tDrM089062@gitrepo.freebsd.org> <20240404125743.1e52876a69053b726cb456e4@bidouilliste.com> <8r1t-ny0j-wny@FreeBSD.org> <20240404141239.35d54535539b66cd6336ee5b@bidouilliste.com> <7chd-l2ru-wny@FreeBSD.org> <20240404151554.04340786db8562e522f7b1a8@bidouilliste.com> <wmpd-fdbs-wny@FreeBSD.org> <20240405104111.9d9263dfe7ce99a01d620ab3@bidouilliste.com> <o7am-stbh-wny@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 06 Apr 2024 12:01:54 +0200
Jan Beich <jbeich@FreeBSD.org> wrote:
> Emmanuel Vadot <manu@bidouilliste.com> writes:
>
> > On Thu, 04 Apr 2024 15:48:55 +0200
> > Jan Beich <jbeich@FreeBSD.org> wrote:
> >
> >> Emmanuel Vadot <manu@bidouilliste.com> writes:
> >>
> >> >> but also introduced a number of regressions that
> >> >> don't exist in my port, all of which were documented in my reviews.
> >> >
> >> > What regressions ? I'm using xwayland for more than a year on my
> >> > desktop instead of -devel and haven't seen a problem.
> >>
> >> Try diff xwayland{,-devel}/Makefile:
> >> - Missing XSECURITY (ssh -X vs. ssh -Y; xorg-server parity per bug 221984)
> >
> > I admit that I'm a bit lost on this one, I did some test and here is
> > what I found :
> >
> > - Using sway and xwayland (so without xcsecurity enabled) I can't ssh
> > -X to a xorg host and run applications (DISPLAY is not set), but I can
> > ssh -Y fine
>
> Works fine here:
>
> # Prepare by removing existing permissions
> $ rm ~/.Xauthority
> $ ssh test@jail rm \~/.Xauthority
>
> # x11-servers/xwayland-devel
> $ ssh -X test@jail xeyes
> /usr/local/bin/xauth: file /home/test/.Xauthority does not exist
> Xlib: extension "XInputExtension" missing on display "localhost:10.0".
> ^C
>
> # x11-servers/xwayland
> $ ssh -X test@jail xeyes
> Warning: untrusted X11 forwarding setup failed: xauth key data not generated
> Error: Can't open display:
>
> Alternatively, SECURITY extension can be tested locally:
>
> $ xauth generate $DISPLAY . untrusted && xeyes
> xauth: file /home/jbeich/.Xauthority does not exist
> Xlib: extension "XInputExtension" missing on display ":0".
> ^C
>
> Curiously, wlroots starts Xwayland without -auth argument unlike others.
> https://gitlab.gnome.org/GNOME/mutter/-/commit/a8984a81c2e8
> https://invent.kde.org/plasma/kwin/-/commit/335d9c41925d
>
> > So what I did next was to recompile xorg-server with xcsecurity
> > set to false. And to my surprise ssh -X from a xorg host to the one
> > with the modified xorg-server still worked.
>
> Did you run the modified xorg-server locally? ssh -X doesn't use
> xorg-server on the remote host, where sshd server is running.
>
> > xcsecurity is disabled by default in xorg-server upstream (in meson)
> > and I think that we should do the same (granted that XACE works
> > correctly).
>
> From https://gitlab.freedesktop.org/xorg/xserver/-/blob/c93c2e7718bc/Xext/Makefile.am#L58-59
> # X-ACE extension: provides hooks for building security policy extensions
> # like XC-Security, X-SELinux & XTSol
>
> X-SELinux is Linux-only. XTSol is Solaris-only. Everyone else is left
> with the legacy XC-Security (trusted/untrusted) or nothing.
No, We build with X-ACE currently and this isn't what the doc is
saying. It just says that X-ACE is somewhat what X-SELinux and XTSol is.
In fact it seems that XCSECURITY imply X-ACE, I haven't looked
at the code but it's possible that the XCSECURITY code is using X-ACE
as the backend.
--
Emmanuel Vadot <manu@bidouilliste.com> <manu@freebsd.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20240409094402.147972b37e03f594f3d7f588>