[Noisebridge-discuss] Shell accounts at noisebridge

Chris Palmer chris at noncombatant.org
Sun Apr 12 20:35:27 UTC 2009 

Andy says:

> secure.  I don't forward X11 or ssh-agent to it and wouldn't recommend
Oh god. About that.

In OpenSSH, -X is supposed to put remote X clients (i.e. X programs you 
run from the SSH server) in the X "untrusted" group (see the xauth(1) 
man page). Clients in the untrusted group have the X security policy 
(see SecurityPolicy(5)) applied to them; the default policy stops them 
from e.g. taking screenshots and logging keystrokes. The idea is that 
remote X clients on an untrustworthy server like pony can't hurt your 
local X server and trusted X clients too badly. (If you wanted remote 
clients to be in the "trusted" group for some reason, the OpenSSH -Y 
option provides that.)

I have tested this, and indeed it used to work. The only programs I know 
of that use this feature (the X SECURITY extension) are OpenSSH and my 
own program, isolate (http://code.google.com/p/isolate). Perhaps because 
only one well-known program uses it, the X developers appear to have 
removed the X SECURITY extension. In theory, the new XACE (X Access 
Control Extension) extension provides the same functionality plus more, 
but on FreeBSD 7.2 with the most recent batch of ports (X.org is a 
port), it is hella broken.

So, Andy *should* be nit-pickily wrong, but in fact he is right (if you 
made the mistake of upgrading to the latest stable X).

You can test this without using ssh or isolate:

    $ xauth generate -f goat.auth $DISPLAY . untrusted
    $ XAUTHORITY=goat.auth xeyes

xeyes should not have a transparent background; similarly, xkey should 
not be able to log keystrokes, scrot should not be able to take a 
screenshot, and so on. Otherwise, you are enjoying a new-fangled, 
security-disabled X server.

Now, even when it was working, X SECURITY had a bug (only live in some 
builds, including the default Ubuntu and FBSD builds at the time) that 
allowed *only* untrusted clients to crash the entire X server... tee hee.

Note that my updated-as-of-two-weeks ago Ubuntu still uses an X build 
with SECURITY, which allows me to have some security from untrusted 
clients --- as long as I don't run "XAUTHORITY=goat.auth evince" or any 
other GNOME program. For whatever reason, GNOME programs tickle the 
above-mentioned bug...

More information about the Noisebridge-discuss mailing list