Re: X-windows security in Gnome

From: Brian Cameron <Brian Cameron sun com>
To: otaylor redhat com, jwz jwz org
Cc: Brian Cameron sun com, gnome-hackers gnome org
Subject: Re: X-windows security in Gnome
Date: Fri, 17 May 2002 10:32:18 +0100 (BST)
Jamie:

> Owen Taylor wrote:
> > 
> > As Jim says, if you want to be secure, secure your display.
> 
> Exactly.  I hadn't thought of using XQueryKeymap for snooping, that's
> very clever!  But there were *already* so many other attacks available
> when someone can access your display that this new one doesn't really
> make much difference: even before this, "xhost +" meant the door was
> wide open.
> 
> If your display is accessible, even if the keyboard is grabbed, an
> attacker can read all the pixels off the screen.
>
> If there are any iconified terminals around, arbitrary commands can be
> executed by sending synthetic keypress events to them.
 
This is simply not true.  I was hoping not to have to type in the 
specifics of the "Security Extension Specifcation", but since there 
seems to be so much confusion, I will go into more detail.

-- paraphrase start --

Use of this extension does not just secure against keyboard attacks via
XQueryKeymap, it does the following:

A server supporting this extension modifies the handling of some core
requests in the following ways;

Resource ID Usage - If an untrusted client makes a request that specifies
  a resource ID that is not owned by another untrusted client, a protocol
  error is sent to the requesting client indicating that the specified 
  resource does not exist.  The following exceptions apply.  An untrusted
  client can
  
  1. use the QueryTree, GetGeometry, and TranslateCoordinates request 
     without restriction
  2. use colormap IDs that are returned in the default-colormap field of
     its connection setup information in any colormap requests.
  3. specify a root window in a number of situation (refer to the spec)
  
Extension Security - ListExtension will only return names of secure
  extension to untrusted clients.  If an untrusted client uses 
  QueryExtension on an insecure extension that the server supports,
  the reply will have the present field set to False and the 
  major-opcode field set to zero to indicate that the extension is not
  supported.  If an untrusted cleint successfuly guesses the major
  opcode of an insecure extension, attempts by it to execute requests
  with that major opcode will fail with a Request error.
  
Keyboard Security - This prevents untrusted applications from stealing 
  keyboard input that was meant for trusted clients and to prevent them
  from interfering with the use of the keyboard.
  
  1. The bit vector representing up/downs tate of the keys returned by
     QueryKeymap and KeymapNotify is all zeros.
  2. GrabKeyboard returns a status of AlreadyGrabbed
  3. SetInputFocus does nothing
  4. Passive grabs exstablished by GrabKey that would otherwise have
     activated do not activate.

Image Security - Makes it impossible for an untrusted client to retrieve
   the image contents of a trusted window unless a trusted client takes
   action to allow this.  The restrictions on resource ID usage listed
   above prevent untrusted clients from using GetImage directly on 
   windows not belonging to trusted clients.
   
Property Security - This is specific to the server

Miscellaneous Security - If an untrusted client attempts to use
   ChangeHosts, ListHosts, or SetAccessControl, the only effect is that
   the client receives an Access error.
   
-- paraphrase end --
  
After mentioning all that, it should now be clear that by using this
extension, the pixels on the screen and keyboard entry of secure clients
is *only* available to trusted clients.  Note that the secure program
must share its key with another program for it to be trusted.  Therefore,
any program which does not have access to the secure programs key can
not access the keyboard or pixels that coorespond to the secure program.
The key can use any protocol which is supported by the X-server
(Kerb5 or MIT-MAGIC-COOKIE).   

> I notice that on my Red Hat system with XFree86-4.1.0, the XTEST
> extension is listed as a server extension.  If that is, in fact, turned
> on, then that's a way to read keystrokes while bypassing all grabs, and
> is also a way to generate synthetic events that don't have the
> "send-event" bit set.

As Sander mentioned, the xserver can be run with the testing extension
turned off.  Also, any program using the XTEST extension is restricted
by the same security restrictions as any other client.  Therefore a
nontrusted client using the XTEST extension will not be able to access
the keyboard of a secure program via the mechanisms listed above.

Brian

_______________________________________________
gnome-hackers mailing list
gnome-hackers gnome org
http://mail.gnome.org/mailman/listinfo/gnome-hackers
Follow-Ups:
- Re: X-windows security in Gnome
  - From: Jamie Zawinski
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]