Date: Sat, 06 Apr 2024 12:01:54 +0200 From: Jan Beich <jbeich@FreeBSD.org> To: Emmanuel Vadot <manu@bidouilliste.com> Cc: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes Message-ID: <o7am-stbh-wny@FreeBSD.org> In-Reply-To: <20240405104111.9d9263dfe7ce99a01d620ab3@bidouilliste.com> (Emmanuel Vadot's message of "Fri, 5 Apr 2024 10:41:11 %2B0200") References: <202404040955.4349tDrM089062@gitrepo.freebsd.org> <20240404125743.1e52876a69053b726cb456e4@bidouilliste.com> <8r1t-ny0j-wny@FreeBSD.org> <20240404141239.35d54535539b66cd6336ee5b@bidouilliste.com> <7chd-l2ru-wny@FreeBSD.org> <20240404151554.04340786db8562e522f7b1a8@bidouilliste.com> <wmpd-fdbs-wny@FreeBSD.org> <20240405104111.9d9263dfe7ce99a01d620ab3@bidouilliste.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Emmanuel Vadot <manu@bidouilliste.com> writes:
> On Thu, 04 Apr 2024 15:48:55 +0200
> Jan Beich <jbeich@FreeBSD.org> wrote:
>
>> Emmanuel Vadot <manu@bidouilliste.com> writes:
>>
>> >> but also introduced a number of regressions that
>> >> don't exist in my port, all of which were documented in my reviews.
>> >
>> > What regressions ? I'm using xwayland for more than a year on my
>> > desktop instead of -devel and haven't seen a problem.
>>
>> Try diff xwayland{,-devel}/Makefile:
>> - Missing XSECURITY (ssh -X vs. ssh -Y; xorg-server parity per bug 221984)
>
> I admit that I'm a bit lost on this one, I did some test and here is
> what I found :
>
> - Using sway and xwayland (so without xcsecurity enabled) I can't ssh
> -X to a xorg host and run applications (DISPLAY is not set), but I can
> ssh -Y fine
Works fine here:
# Prepare by removing existing permissions
$ rm ~/.Xauthority
$ ssh test@jail rm \~/.Xauthority
# x11-servers/xwayland-devel
$ ssh -X test@jail xeyes
/usr/local/bin/xauth: file /home/test/.Xauthority does not exist
Xlib: extension "XInputExtension" missing on display "localhost:10.0".
^C
# x11-servers/xwayland
$ ssh -X test@jail xeyes
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Error: Can't open display:
Alternatively, SECURITY extension can be tested locally:
$ xauth generate $DISPLAY . untrusted && xeyes
xauth: file /home/jbeich/.Xauthority does not exist
Xlib: extension "XInputExtension" missing on display ":0".
^C
Curiously, wlroots starts Xwayland without -auth argument unlike others.
https://gitlab.gnome.org/GNOME/mutter/-/commit/a8984a81c2e8
https://invent.kde.org/plasma/kwin/-/commit/335d9c41925d
> So what I did next was to recompile xorg-server with xcsecurity
> set to false. And to my surprise ssh -X from a xorg host to the one
> with the modified xorg-server still worked.
Did you run the modified xorg-server locally? ssh -X doesn't use
xorg-server on the remote host, where sshd server is running.
> xcsecurity is disabled by default in xorg-server upstream (in meson)
> and I think that we should do the same (granted that XACE works
> correctly).
>From https://gitlab.freedesktop.org/xorg/xserver/-/blob/c93c2e7718bc/Xext/Makefile.am#L58-59
# X-ACE extension: provides hooks for building security policy extensions
# like XC-Security, X-SELinux & XTSol
X-SELinux is Linux-only. XTSol is Solaris-only. Everyone else is left
with the legacy XC-Security (trusted/untrusted) or nothing.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?o7am-stbh-wny>