[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Open Xlock as root



Savochkin Andrey Vladimirovich <saw@msu.ru> writes:
> On Sat, Dec 04, 1999 at 07:41:30PM -0800, Andrew Morgan wrote:
> > Good questions. This trust thing is a hard one to pin down. With X
> > especially, I'm on thin ice. Are you saying that there is something
> > fundamentally broken about X? Do you want to share your thoughts?
> 
> Yes, X is a fundamentally broken idea from security point of view.
> All of attached processes shared common resources without boundary checks.  I
> remember an exploit showing that every application can snoop a text typed by
> user in any window.  I don't know the current state of X but I bet that
> almost any abuse which can be imagineed can be implemented.

Yes, but...

X attempts to be secure by restricting which clients can connect,
rather than restricting what clients can do once they are
connected. Once a process that is untrusted by the user has
sucessfully connected to the X server, security is out the window. So
the aim is to prevent that happening. You don't do "xhost +" lightly.

I agree that this is restrictive. But I don't think it is broken
(unless you count discretionary security as broken).

xdm is secure, as far as I know, since it tries to prevent anything
else from connecting to the X server. Once a user is logged in,
security is up to that user. (This is why the xlock/xscreensaver case
is a problem).

The X server itself has to be trusted, since it is installed by root,
and could arbitrarily corrupt the OS if it wanted. The window manager
cannot be trusted, since the user can run whichever WM they
want. Since the X protocol reveals a lot of the state of the X server
(such as all windows) to the window manager, multiple tructed paths
via X implies multiple X servers (or possibly multiple virtual X
servers hosted by a single process). XFree86 doesn't currently support
anything like this, except by switching to another VT.


David Wragg



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []