[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Open Xlock as root

On Sat, 4 Dec 1999, Andrew Morgan wrote:

> > How can a trusted GUI agent make sure it talks to a trusted X server?
> > How can a person at the terminal make sure he or her talks to a trusted
> > GUI agent via a trusted X server?
> Good questions. This trust thing is a hard one to pin down. With X
> especially, I'm on thin ice. Are you saying that there is something
> fundamentally broken about X? Do you want to share your thoughts?

Well, it can be done...

         1  trusted   2  trusted    untrusted
person ---- terminal --- X server --- xlock --- PAM library
              hw           3  |                   |  5
                          trusted ------------- trusted
                         GUI agent       4      PAM helper

We can assume the 1st channel is protected by physical means ("Hey, stop
looking over my shoulder!") and channels 2 and 5 are protected by the
operating system itself. Channel 4 can be protected by any means
providing confidentiality and mutual authentication, crypto is one of the 
options. A special CMW X server can (should be able to) protect the link
between channels 2 and 3 ("trusted keyboard focus") as well as channel 3.

The question is whether this rather convoluted scheme is worth it.
I myself think it is not.

On Sun, 5 Dec 1999, Ivan Popov wrote:

> Ideally privileged users should not login on utrusted computers, except
> by means of one-time passwords or, say, public keys.

One time passwords and naive key exchange protocols provide little
protection against man-in-the-middle attacks.

Moreover, human beings are not deployed with builtin crypto chips yet,
therefore they cannot take part in complicated cryptographic protocols.

On Sun, 5 Dec 1999, Savochkin Andrey Vladimirovich wrote:

> Yes, X is a fundamentally broken idea from security point of view.
> All of attached processes shared common resources without boundary checks.  I
> remember an exploit showing that every application can snoop a text typed by
> user in any window.  I don't know the current state of X but I bet that
> almost any abuse which can be imagineed can be implemented.

(speaking about non-CMW systems) There is a rudimentary support for
boundary checks in R6.4: the SECURITY extension. It is supposed to be able
to separate the clients into two classes: trusted and untrusted.

On Mon, 6 Dec 1999, Craig R.P. Heath wrote:

> On a CMW system, this is achieved by modifying the X server so that
> there is a reserved area of the screen (sort of like a title bar at

Thanks for the detailed explanation. I thought CMW systems would do
something like that but I was not sure because I had never seen such a

On Mon, 6 Dec 1999, Stephen Langasek wrote:

> Right now, in most *standard* X server configurations, the X server can be
> trusted because it needs root permission.

Find a nearest Solaris machine and type "openwin". I bet you'll own the
server process.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []