zlacker

[parent] [thread] 5 comments
1. nitrog+(OP)[view] [source] 2011-04-23 23:29:46
Now, for the best, start another terminal window, and switch to root (e.g. using su, or sudo). Notice how the xinput running as user is able to sniff all your keystrokes, including root password (for su), and then all the keystrokes you enter in your root session. Start some GUI app as root, or as different user, again notice how your xinput can sniff all the keystrokes you enter to this other app!

This is not the problem it's made out to be:

1. An application running as a different user can only connect to the X server if it has access to the .Xauthority file. This means there's no risk of having another user connect to your X session and sniff keystrokes, unless you explicitly chmod o+r ~/.Xauthority.

2. One should never run untrusted applications.

Now, I will grant that better GUI process isolation and/or granular X permissions would be useful, in that it would lay the groundwork for a safe way of allowing an untrusted remote (or local) process to display a GUI on the local X screen. I've also always wished window managers would highlight windows from a different user with a red border, mostly so I could tell which file browser window I'd started with sudo.

replies(4): >>tzs+l1 >>rst+y1 >>ericb+f2 >>teduna+w2
2. tzs+l1[view] [source] 2011-04-24 00:17:06
>>nitrog+(OP)
You can't always avoid untrusted applications if you use the net, unless you make sure to only use client software that has no exploitable bugs that can lead to local code execution.
3. rst+y1[view] [source] 2011-04-24 00:24:35
>>nitrog+(OP)
"One should never run untrusted applications."

So, what applications do you trust, to never, under any circumstances, get subverted by third parties? I don't know about you, but I personally find it hard to have that level of trust in anything that's written in C, and talks to the network --- but without any of those, these days, you're left with a pretty spartan and uncomfortable environment.

Besides which, allowing any app to read any other's keystrokes, without special arrangement is a pretty clear violation of the principle of least privilege. It may have been appropriate for research environments twenty years ago ("hey, the window manager can be just another app! isn't that neat?"), but Rutkowska's quite right to say that it's not good design for the world that we're living in now...

4. ericb+f2[view] [source] 2011-04-24 00:52:44
>>nitrog+(OP)
> One should never run untrusted applications.

Security through omniscience? Is that any kind of answer? This is a whole that can be plugged.

5. teduna+w2[view] [source] 2011-04-24 00:59:06
>>nitrog+(OP)
I believe the point is that users want to run firefox and openoffice at the same time, but they don't trust firefox to not have remotely exploitable bugs. So they run firefox as a different user, assuming that if it can't read their secret files or the memory of openoffice, they're safe. They are wrong.

This problem has in fact been solved by the X security extension. The problem is that nobody tests their programs as untrusted clients. GTK, for instance, will more or less immediately abort because its error checking consists of assert(trusted_only_operation()).

replies(1): >>rtaych+do
◧◩
6. rtaych+do[view] [source] [discussion] 2011-04-24 18:35:47
>>teduna+w2
I think this is what android does, isn't it. Although android doesn't use x.
[go to top]