[Plash] Re: X11 proxy related questions

[Mark Seaborn]

Liraz <address@hidden> wrote:

> Hi Mark,
> 
> I've recently been researching X11 security in order to write a simple wrapper
> that would run X applications (e.g., mostly complex network clients such as
> firefox) as an unprivileged user with an untrusted X authorization cookie.
> 
> This doesn't work nearly as well as I would like it to. Some applications
> crash (e.g., firefox with adobe's flash plugin), and I can't get selections to
> work between trusted and untrusted applications (e.g., firefox and a Vim
> session), despite tweaking with the security policy for the (legacy) SECURITY
> extension.
> 
> When I found your wiki notes on X11 security I realized you've probably done
> as much in-depth research on this problem as anyone else I have come across.
> 
> Your approach is very interesting, and seems to be the most practical way to
> achieve seamless yet safe integration between X11 applications at different
> privilege levels. The XSELinux approach is a bit overkill for my purposes (I
> don't really like the complexity of SELinux) and I haven't yet looked closely
> enough at xtsol.
> 
> Anyhow, I noticed the last commits to the X11 proxy directory happened around
> three months ago, and the wiki page seems to indicate the work is at a pretty
> early stage.
> 
> Questions:
> 
> 1) What is the status of the X11 proxy you are developing? Do you have an
>     estimate to how long before it is usable?

As an X11 message encoding/decoding library it does a lot, but as an
X11 security proxy it doesn't.  It implements some special-case
restrictions such as blocking grabs, but it does not yet implement the
general-case restriction of checking X resource IDs.  Making it check
resource IDs will slow it down a lot and it may be necessary to
compile these checks to C to make the proxy usable.

I have since found a tool which should be able to provide most of the
X security requirements very quickly: Xpra.  It takes quite a
different approach to my X proxy.  It runs applications under a
separate X server (Xvfb).  It forwards window contents to the real X
server, and forwards keyboard and mouse input and window positions in
the other direction to the Xvfb server.  It was not originally
intended a security tool, but as an X equivalent of "screen".
See <http://partiwm.org> and
<http://lists.partiwm.org/pipermail/parti-discuss/2008-April/000014.html>.

I am not actively working on the X proxy, so I can't say when it will
be usable.  I will probably try improving Xpra first.

What security properties are you interested in?  Preventing input
injection, for example, is much easier than preventing keyboard
snooping.  Preventing denial of service is hard.  You might want to
stop applications from stealing the input focus, for example, which
really requires window mangaer support; it can't easily be done by
Xpra or an X proxy on its own.


> 2) When the X11 proxy is functional, would it be possible to use it
>     independently of plash?

Yes.  In fact I haven't used it with Plash yet.

> 3) Will secure selections between trusted and untrusted applications be
>     possible?

I believe it will be possible to forward the X selection between
trusted and sandboxed applications with the X proxy or Xpra.  x2x and
Synergy already do this.

The harder part is what it might mean to do that securely.  There are
some notes on the wiki about that:
<http://plash.beasts.org/wiki/TrustedPathButtons>
and a thread here:
<http://lists.laptop.org/pipermail/security/2008-April/000391.html>.
In brief, doing copy and paste via the keyboard shortcuts Ctrl-C and
Ctrl-V can be made secure without changing X applications, but making
Copy and Paste menu items secure will require modifying applications.


> 4) Do you know of a workaround that will enable copy and paste between two
>     unmodified X11 clients one of which is running as trusted and one which
>     isn't?

With the X Security extension?  I don't know.  There is probably no
workaround in this context because the selection protocol requires
writing to properties on another client's window.

> 5) I can configure the legacy SECURITY SecurityPolicy to allow access
>     to cut buffers so I'm thinking maybe there might be a way (e.g.,
>     LD_PRELOAD?) to convert selections to cut buffers. Do you think that
>     might work?

It seems unlikely.  I don't think cut buffers are used much, and they
are fairly different from selections.

Cheers,
Mark