Re: [Plash] Re: X11 proxy related questions

[Mark Seaborn]

Liraz <address@hidden> wrote:

> > What security properties are you interested in?  Preventing input
> > injection, for example, is much easier than preventing keyboard
> > snooping.  Preventing denial of service is hard.  You might want to
> > stop applications from stealing the input focus, for example, which
> > really requires window mangaer support; it can't easily be done by
> > Xpra or an X proxy on its own.
>
> I don't really care about preventing denial of service, but I do
> care about keyboard snooping which could reveal confidential data
> and also about allowing an untrusted application (e.g., firefox) to
> inject events into arbitrary windows on my desktop.

Xpra should block keyboard snooping and input injection.

> Stealing input focus is a borderline concern as I believe it would
> be harder to exploit in practice.

Yes, I agree it would be harder to exploit.

Stealing the input focus allows keyboard input to be stolen, but it is
different from other kinds of keyboard snooping in that the input does
not go to the original application, so the user should (eventually)
notice the difference.  If a malicious X client opened small top-level
window, this new window might not be very noticeable.  If the user
happens to be entering a password, the malicious client could capture
it.  The client would probably not have any way to tell when the user
is about to enter a password though, so the risk may be small.  Even
so, it could just get lucky.


> > The harder part is what it might mean to do that securely.  There are
> > some notes on the wiki about that:
> > <http://plash.beasts.org/wiki/TrustedPathButtons>
> > and a thread here:
> > <http://lists.laptop.org/pipermail/security/2008-April/000391.html>.
> > In brief, doing copy and paste via the keyboard shortcuts Ctrl-C and
> > Ctrl-V can be made secure without changing X applications, but making
> > Copy and Paste menu items secure will require modifying applications.
> 
> Good idea. I've read the links and I understand the principles, but does an 
> implementation already exist that I could try out?

There weren't any such trusted-path clipboard forwarders for X when
you asked the question (as far as I am aware), but since you asked, I
have written one and hooked it up to Xpra. :-)

To try it, check out the following:

svn checkout svn://svn.gna.org/svn/plash/scratch/x11-proxy

git clone http://plash.beasts.org/git/xpra.git

Follow the instruction in Xpra's README.xpra to install the
dependencies and build it, with the extra step that x11-proxy must be
added to PYTHONPATH.  I have only hooked up the clipboard forwarder to
the "xpra standalone" subcommand that I added in this branch, which
does not provide the persistence functionality (the P in Xpra).

So to run an application through Xpra, do something like:

export PYTHONPATH=$(pwd)/install/lib/python:../x11-proxy:$PYTHONPATH
export PATH=$(pwd)/install/bin:$PATH
xpra standalone COMMAND ARGS...

I tested this briefly with Leafpad (a very simple Notepad-like text
editor).  You can verify that Xpra is not forwarding the clipboard
unconditionally from the way the Edit -> Copy/Paste menu items don't
work unless the clipboard has been forwarded by pressing Ctrl-X,
Ctrl-C or Ctrl-V.

The forwarder is not complete.  It does not yet properly handle
different selection format types (called "targets" in the terminology
of the selection protocol).  I have put some notes on
http://plash.beasts.org/wiki/X11Selections.

Cheers,
Mark