Date: Thu, 16 Apr 2009 23:43:54 -0400 From: Eamon Walsh <ewalsh@tycho.nsa.gov> To: Chris Palmer <chris@isecpartners.com> Cc: "x11@freebsd.org" <x11@freebsd.org> Subject: Re: X SECURITY extension gone in latest Xorg; XACE not working? Message-ID: <49E7FAFA.3010900@tycho.nsa.gov> In-Reply-To: <7E3B942D6F9AE64EA28CE80B7283C1EC212C0D872C@exch01.isecpartners.com> References: <7E3B942D6F9AE64EA28CE80B7283C1EC212C0D872C@exch01.isecpartners.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris Palmer wrote: > Hello, > > With a recent build of FreeBSD ports (I am on FreeBSD 7), the X SECURITY extension is nonexistent, and its functionality is missing. For example, "ssh -X" is equivalent to "ssh -Y", "xauth -f foo generate :0.0 . untrusted" doesn't work, and so on. I am developing a program (http://code.google.com/p/isolate) that depends on being able to put X clients in the "untrusted" group. I dimly understand that XACE is supposed to replace the old SECURITY extension with new and more exciting (but compatible) behavior, but currently, I get no joy either way. > > On OpenBSD 4.4 and Ubuntu 8.10, SECURITY still works; I assume it's because their builds are old enough to not have whatever recent changes were made. > > In the configure script for the xorg-server port, I found an option to re-enable SECURITY, and it appears to mostly work. But normal people are not going to do that, and so won't get the security features of the extension. > > Any clues, explanations of how I'm missing something, et c., greatly appreciated. Thanks! > > > The SECURITY extension is still present in the upstream source. In 2007 it was rebased on top of XACE (which is a security hook framework somewhat like Linux LSM) and it looks like at that time the default configuration was changed to not compile it. It could be re-enabled upstream, by the distro, or by compiling from source. I ran the untrusted scrot, xspy, and xeyes tests shown at the link above on Xorg compiled from git. They all worked as expected, except for xeyes, which was able to access the Shape extension in untrusted mode. I fixed it upstream to only allow untrusted clients to access the BIG-REQUESTS, XC-MISC, and XPrint extensions, which was the original behavior. If I may suggest, a good alternative to SECURITY for sandboxing applications is to run a nested X server, such as Xephyr, and have the isolated X client connect to it. This has the advantage of giving the client full run of the display. Hope this helps! -- Eamon Walsh <ewalsh@tycho.nsa.gov> National Security Agency
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49E7FAFA.3010900>