X-windows security in Gnome



I have been doing some research on X-windows security and have
stumbled across a fairly nasty hole which allows keyboard entry
to be sniffed, even on programs which have called XGrabKeyboard
or XGrabKey.  A program called xspy, demonstrates how to take
advantage of this hole.  Information about xspy, including the
source code, can be found here:

  http://www.acm.vt.edu/~jmaxwell/programs/xspy/xspyPage.html

For example, if a user types "xhost +", then any user can sniff
the password entered in xlockscreen.  Another example is xterm
comes with a "secure keyboard" mode (just hold down the control
key and the left mouse button at the same time to see this option).
According to xterm's man page, this option is supposed to make
it impossible for other programs to see passwords entered when
telnet'ing, rsh'ing, etc.  However it doesn't work because 
the xspy program demonstrates that XGrabKeyboard isn't a secure
solution.  

My first reaction was to think that XGrabKeyboard/XGrabKey are
broken.  However, as I have researched with the X-Windows
folks, I have been told that XGrabKeyboard/XGrabKey are not
intended to add any degree of security to a program.  I have
even gotten some responses that said that if you are dumb
enough to enter "xhost +" then you deserve having your
passwords sniffed.  However, I suspect most people who use
"xhost +" do not realize that this applies to programs like
xlockscreen.

Fortunately there is a solution, and programs can be secure
even when "xhost +" has been entered.  To do this, it is necessary
for programs to make use of the "X-Windows Security Extension"
(found in the X-windows libXext library).  The specification 
can be found here:

http://davinci01.man.ac.uk/aix433/x11/specs/pdf/security.htm

Some examples of using this extension are here:

http://cvsweb.netbsd.org/bsdweb.cgi/xsrc/xc/test/appgroup/embedtest.c?rev=1.1.1.
1&content-type=text/x-cvsweb-markup

http://cvsweb.netbsd.org/bsdweb.cgi/xsrc/xc/test/security/rid.c?rev=1.1&content-
type=text/x-cvsweb-markup

Note chapter 3 of the Security Extension Specification which explains
what things about "secure" programs are not accessible to "unsecure"
programs.

Applications within Gnome which might want to make use of 
this would include gdm2, xscreensaver, and gnome-terminal might
want to include a "secure" mode that actually works (perhaps a
configuration option).  Actually any program where a user might
type a password or other sensitive information should make use
of this extension.

Note that for a program segment to be secure, it just needs to call
XSecurityAllocXauth and then XSecurityGenerateAuthorization
on start.  Then on exit call XSecurityFreeXauth.  Things
get more complicated if you have multiple secure programs and you
want one of them to grant security privilidges to the other, but I
can't think of an example of needing this in Gnome.


This information was sufficiently time consuming to dig up that
I thought I would share what I found with everyone.

Brian




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]