Re: X-windows security in Gnome
- From: Brian Cameron <Brian Cameron sun com>
- To: otaylor redhat com, jwz jwz org
- Cc: Brian Cameron sun com, gnome-hackers gnome org
- Subject: Re: X-windows security in Gnome
- Date: Fri, 17 May 2002 10:32:18 +0100 (BST)
Jamie:
> Owen Taylor wrote:
> >
> > As Jim says, if you want to be secure, secure your display.
>
> Exactly. I hadn't thought of using XQueryKeymap for snooping, that's
> very clever! But there were *already* so many other attacks available
> when someone can access your display that this new one doesn't really
> make much difference: even before this, "xhost +" meant the door was
> wide open.
>
> If your display is accessible, even if the keyboard is grabbed, an
> attacker can read all the pixels off the screen.
>
> If there are any iconified terminals around, arbitrary commands can be
> executed by sending synthetic keypress events to them.
This is simply not true. I was hoping not to have to type in the
specifics of the "Security Extension Specifcation", but since there
seems to be so much confusion, I will go into more detail.
-- paraphrase start --
Use of this extension does not just secure against keyboard attacks via
XQueryKeymap, it does the following:
A server supporting this extension modifies the handling of some core
requests in the following ways;
Resource ID Usage - If an untrusted client makes a request that specifies
a resource ID that is not owned by another untrusted client, a protocol
error is sent to the requesting client indicating that the specified
resource does not exist. The following exceptions apply. An untrusted
client can
1. use the QueryTree, GetGeometry, and TranslateCoordinates request
without restriction
2. use colormap IDs that are returned in the default-colormap field of
its connection setup information in any colormap requests.
3. specify a root window in a number of situation (refer to the spec)
Extension Security - ListExtension will only return names of secure
extension to untrusted clients. If an untrusted client uses
QueryExtension on an insecure extension that the server supports,
the reply will have the present field set to False and the
major-opcode field set to zero to indicate that the extension is not
supported. If an untrusted cleint successfuly guesses the major
opcode of an insecure extension, attempts by it to execute requests
with that major opcode will fail with a Request error.
Keyboard Security - This prevents untrusted applications from stealing
keyboard input that was meant for trusted clients and to prevent them
from interfering with the use of the keyboard.
1. The bit vector representing up/downs tate of the keys returned by
QueryKeymap and KeymapNotify is all zeros.
2. GrabKeyboard returns a status of AlreadyGrabbed
3. SetInputFocus does nothing
4. Passive grabs exstablished by GrabKey that would otherwise have
activated do not activate.
Image Security - Makes it impossible for an untrusted client to retrieve
the image contents of a trusted window unless a trusted client takes
action to allow this. The restrictions on resource ID usage listed
above prevent untrusted clients from using GetImage directly on
windows not belonging to trusted clients.
Property Security - This is specific to the server
Miscellaneous Security - If an untrusted client attempts to use
ChangeHosts, ListHosts, or SetAccessControl, the only effect is that
the client receives an Access error.
-- paraphrase end --
After mentioning all that, it should now be clear that by using this
extension, the pixels on the screen and keyboard entry of secure clients
is *only* available to trusted clients. Note that the secure program
must share its key with another program for it to be trusted. Therefore,
any program which does not have access to the secure programs key can
not access the keyboard or pixels that coorespond to the secure program.
The key can use any protocol which is supported by the X-server
(Kerb5 or MIT-MAGIC-COOKIE).
> I notice that on my Red Hat system with XFree86-4.1.0, the XTEST
> extension is listed as a server extension. If that is, in fact, turned
> on, then that's a way to read keystrokes while bypassing all grabs, and
> is also a way to generate synthetic events that don't have the
> "send-event" bit set.
As Sander mentioned, the xserver can be run with the testing extension
turned off. Also, any program using the XTEST extension is restricted
by the same security restrictions as any other client. Therefore a
nontrusted client using the XTEST extension will not be able to access
the keyboard of a secure program via the mechanisms listed above.
Brian
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
