By Dstart


2020-03-22 13:20:50 8 Comments

I'm new to X11 and want to understand if it is really as dangerous as they say on the Internet.

I will explain how I understand this. Any application launched from under the current user has access to the keyboard, mouse, display (e.g. taking a screenshot), and this is not good. But, if we install programs from the official repository (for example, for Debian), which are unlikely to contain keyloggers, etc., then the danger seems exaggerated. Am I wrong?

Yes, you can open applications on separate servers (for example, Xephyr), but this is inconvenient, since there is no shared clipboard. Creating a clipboard based on tmp files is also inconvenient.

2 comments

@Simon Richter 2020-03-23 10:33:01

Applications running on the same machine with the same user account can use the ptrace system call to modify each other's process memory, so X11 is not the most convenient attack surface here.

For applications you don't fully trust, you need to first run them with a different user ID (like Android does with applications from different vendors), and you can use the XSECURITY extension to generate an "untrusted" access token for the X server, with which the application's access to X11 is restricted:

  • no access to input events not directed at the own window
  • no access to the XTEST extension
  • no transparent windows

Input events in X11 have a Synthetic field that tells whether the input event was generated from an input device or sent from another program, and the receiving program decides what to do with synthetic events, for example xterm just ignores them. The XTEST extension allows generating non-Synthetic events from software for testing purposes, which is why untrusted clients are not allowed to use that extension.

@akostadinov 2020-03-23 21:03:09

I read somewhere i the past that untrusted is still not very secure.

@mosvy 2020-03-24 16:39:09

Unfortunately, the untrusted mode is pretty broken, and it will cause many apps to malfunction. Especially the fact that it hides the RENDER extension (despite it continuing to work) trip many programs which call XRenderQueryExtension.

@Simon Richter 2020-03-25 08:50:42

Yeah, a lot of modern programs weren't designed with security in mind -- they happily accept Synthetic events, and they require to be run with full privileges.

@mosvy 2020-03-22 16:45:59

Any application launched from under the current user has access to the keyboard, mouse, display (e.g. taking a screenshot), and this is not good.

All the X11 clients on a desktop can access each other in depth, including getting the content of any window, changing it, closing any window, faking key and mouse events to any other client, grabbing any input device, etc.

The X11 protocol design is based on the idea that the clients are all TRUSTED and will collaborate, not step on each other's toes (the latter completely broken by modern apps like Firefox, Chrome or Java).

BUT, if we install programs from the official repository (for example, for Debian), which are unlikely to contain keyloggers, etc., then the danger problem is clearly exaggerated. Am I wrong?

Programs have bugs, which may be exploited. The X11 server and libraries may not be up-to-date. For instance, any X11 client can crash the X server in the current version of Debian (Buster 10) via innocuous Xkb requests. (That was fixed in the upstream sources, but didn't make it yet in Debian). If it's able to crash it, then there's some probability that it's also able to execute code with the privileges of the X11 server (access to hardware, etc).

For the problems with the lax authentication in Xwayland (and the regular Xorg Xserver in Debian), see the notes of the end of this answer.

Yes, you can open applications on separate servers (for example, Xephyr), but this is inconvenient, since there is no shared clipboard. Creating a clipboard based on tmp files is also inconvenient.

Notice that unless you take extra steps, Xephyr allows any local user to connect to it by default. See this for a discussion about it.

Creating a shared clipboard between multiple X11 servers is an interesting problem, which deserves its own Q&A, rather than mixed with this.

@Dstart 2020-03-22 17:54:46

Thank you! Yes, I already know that Xephyr by default allows any local user to connect to it, but since I use the Firejail sandbox, the authorization procedure happens by default there.

@Stephen Kitt 2020-03-22 18:54:40

Just curious, what’s specifically bad about Java in this context?

@mosvy 2020-03-23 02:44:10

@StephenKitt Java apps (swing) steal the focus upon starting, which means that they completely break any focus-follows-mouse model, unless treated specially. Just like Firefox, java apps need special assistance from the window manager, otherwise drop-down menus won't open, entry boxes won't focus, etc. I don't know if that's still the case, but java was assuming that a window manager is reparenting, unless it was named "LG3D" or similar (java library had a select list of non-parenting WMs, and all the other non-reparenting WMs had to lie about their name ;-)).

@Paul 2020-03-23 03:09:53

@mosvy that's still the case, at least for openjdk. E.g. in xmonad, you have to configure "LG3D" as window manager-name. Otherwise java-applications with a gui won't work.

@Stephen Kitt 2020-03-23 10:11:05

Ah right @mosvy, thanks for the clarification; that’s the awful “inset” handling baked into AWT imported from Win32 (!). (I use sloppy focus, but I leave the Java applications I use open most of the time so they only get one chance to steal it.)

@user1686 2020-03-23 10:15:33

I remember Java (and Wine) having plenty of issues, but I didn't know Firefox also needed special accomodations – is that a recent thing, or was it already "bad" in the Netscape era?

@Andrew Henle 2020-03-23 13:45:57

@mosvy Java apps (swing) steal the focus upon starting If that makes something a security concern, half the applications coded for Windows are insecure [insert your own joke here]. Somebody needs to take a three-weeks-dead, fully rotten mackerel and use it to slap the UX clowns who insist their app is "special" and MUST steal focus on startup.

@mosvy 2020-03-23 17:53:45

@user1686 Firefox does need a WM, and a WM which does more than ICCCM and EWMH require from it. To verify my claim, start a separate X11 server (eg. with Xorg :7) and then run firefox on it firefox --display=:7 --new-instance -P someprofile. The try to enter something in the address bar: the suggestions drop-down list will open and then close immediately. Or press Alt to show the menubar, and click on an entry. Or click on the hamburger menu, etc.

@Will Crawford 2020-03-24 13:44:20

@AndrewHenle or some kinda Finnish delicacy.

@Erlkoenig 2020-03-24 13:46:37

I can't find the source anymore, but I once read the reason why MS Office steals the focus is to prevent lots of support calls "I triple-clicked on Excel on my desktop because I don't have enough motor control to just double-click, and it didn't start" (because Excel is actually minimized because the 3rd click re-focused the desktop) and users don't know how to switch windows. So, focus stealing is actually intentional from the UX perspective.

Related Questions

Sponsored Content

4 Answered Questions

[SOLVED] What is X11 exactly?

  • 2016-04-13 12:42:44
  • Hidden
  • 42429 View
  • 16 Score
  • 4 Answer
  • Tags:   x11

1 Answered Questions

uninitialized pointers dangerous?

3 Answered Questions

[SOLVED] What is `/tmp/.X11-unix/`?

  • 2015-04-16 18:42:57
  • ThorSummoner
  • 24006 View
  • 35 Score
  • 3 Answer
  • Tags:   x11

5 Answered Questions

[SOLVED] Are there any GUI's for Linux that doesn't use X11?

  • 2011-06-04 10:03:59
  • LanceBaynes
  • 11036 View
  • 13 Score
  • 5 Answer
  • Tags:   linux security x11

6 Answered Questions

[SOLVED] Lightweight X11 alternative available?

  • 2011-03-18 22:56:14
  • johnjohn
  • 22283 View
  • 12 Score
  • 6 Answer
  • Tags:   linux x11

1 Answered Questions

Invalid event in x11

  • 2014-09-11 14:15:01
  • Mariusz
  • 79 View
  • 2 Score
  • 1 Answer
  • Tags:   x11

1 Answered Questions

[SOLVED] X, Xorg and D-Bus: what is the difference?

1 Answered Questions

[SOLVED] A Linux OS as Single Display Groupware

1 Answered Questions

[SOLVED] Linux in a mostly Windows dev environment

Sponsored Content