Re: X-windows security in Gnome

[Jamie Zawinski <jwz jwz org>]

Owen Taylor wrote:
> 
> As Jim says, if you want to be secure, secure your display.

Exactly.  I hadn't thought of using XQueryKeymap for snooping, that's
very clever!  But there were *already* so many other attacks available
when someone can access your display that this new one doesn't really
make much difference: even before this, "xhost +" meant the door was
wide open.

If your display is accessible, even if the keyboard is grabbed, an
attacker can read all the pixels off the screen.

If there are any iconified terminals around, arbitrary commands can be
executed by sending synthetic keypress events to them.

I notice that on my Red Hat system with XFree86-4.1.0, the XTEST
extension is listed as a server extension.  If that is, in fact, turned
on, then that's a way to read keystrokes while bypassing all grabs, and
is also a way to generate synthetic events that don't have the
"send-event" bit set.

Also, the Gnome "administrator password" dialog doesn't even bother
grabbing the keyboard at all: start red-carpet as non-root and note that
it asks you to type in the root password in a grab-less Gnome dialog. 
That's just careless.  It ought to *at least* do what ssh-askpass-gnome
does.  Why ask for trouble?

If someone wants to send me a patch against xscreensaver to take
advantage of the SECURITY protocol extension, I'll consider including it
(if the patch is coded defensively enough.)  However, I strongly suspect
that adding that support for that to client programs will not
significantly increase the overall security of the system, while it
definitely *will* increase complexity of the clients, risking
destabilizing them.

-- 
Jamie Zawinski
jwz jwz org             http://www.jwz.org/
jwz dnalounge com       http://www.dnalounge.com/
_______________________________________________
gnome-hackers mailing list
gnome-hackers gnome org
http://mail.gnome.org/mailman/listinfo/gnome-hackers