[Noisebridge-discuss] Shell accounts at noisebridge
Chris Palmer
chris at noncombatant.org
Sun Apr 12 20:35:27 UTC 2009
Andy says:
> secure. I don't forward X11 or ssh-agent to it and wouldn't recommend
Oh god. About that.
In OpenSSH, -X is supposed to put remote X clients (i.e. X programs you
run from the SSH server) in the X "untrusted" group (see the xauth(1)
man page). Clients in the untrusted group have the X security policy
(see SecurityPolicy(5)) applied to them; the default policy stops them
from e.g. taking screenshots and logging keystrokes. The idea is that
remote X clients on an untrustworthy server like pony can't hurt your
local X server and trusted X clients too badly. (If you wanted remote
clients to be in the "trusted" group for some reason, the OpenSSH -Y
option provides that.)
I have tested this, and indeed it used to work. The only programs I know
of that use this feature (the X SECURITY extension) are OpenSSH and my
own program, isolate (http://code.google.com/p/isolate). Perhaps because
only one well-known program uses it, the X developers appear to have
removed the X SECURITY extension. In theory, the new XACE (X Access
Control Extension) extension provides the same functionality plus more,
but on FreeBSD 7.2 with the most recent batch of ports (X.org is a
port), it is hella broken.
So, Andy *should* be nit-pickily wrong, but in fact he is right (if you
made the mistake of upgrading to the latest stable X).
You can test this without using ssh or isolate:
$ xauth generate -f goat.auth $DISPLAY . untrusted
$ XAUTHORITY=goat.auth xeyes
xeyes should not have a transparent background; similarly, xkey should
not be able to log keystrokes, scrot should not be able to take a
screenshot, and so on. Otherwise, you are enjoying a new-fangled,
security-disabled X server.
Now, even when it was working, X SECURITY had a bug (only live in some
builds, including the default Ubuntu and FBSD builds at the time) that
allowed *only* untrusted clients to crash the entire X server... tee hee.
Note that my updated-as-of-two-weeks ago Ubuntu still uses an X build
with SECURITY, which allows me to have some security from untrusted
clients --- as long as I don't run "XAUTHORITY=goat.auth evince" or any
other GNOME program. For whatever reason, GNOME programs tickle the
above-mentioned bug...
More information about the Noisebridge-discuss
mailing list