| 1 |
On Sat, Jul 29, 2017 at 1:17 PM, Mart Raudsepp <leio@g.o> wrote: |
| 2 |
> Ühel kenal päeval, L, 29.07.2017 kell 12:58, kirjutas R0b0t1: |
| 3 |
>> On Sat, Jul 29, 2017 at 11:17 AM, Mart Raudsepp <leio@g.o> |
| 4 |
>> wrote: |
| 5 |
>> > Ühel kenal päeval, L, 29.07.2017 kell 13:20, kirjutas tuxic@posteo. |
| 6 |
>> > de: |
| 7 |
>> > > The task is already accomplished :) with a mixture of WM-based |
| 8 |
>> > > hotkey definitions and a delayed commandline utility (main,scrot, |
| 9 |
>> > > imagemagick). |
| 10 |
>> > > Addtionally I dont think that my X11 uses framebuffer (not shure |
| 11 |
>> > > about that, though)... |
| 12 |
>> > |
| 13 |
>> > Those tools work by using an inherent X11 security hole by reading |
| 14 |
>> > out |
| 15 |
>> > the root window, it's not relevant to framebuffer in the kernel |
| 16 |
>> > sense. |
| 17 |
>> > |
| 18 |
>> > Note that you can't use a global shortcut key in X11 while a |
| 19 |
>> > typical |
| 20 |
>> > right click context menu is open, because these take a X11 grab and |
| 21 |
>> > even screen lock can't activate.. Then only the delay approach will |
| 22 |
>> > work (if desired then together with a shortcut if the shortcut key |
| 23 |
>> > is |
| 24 |
>> > hit before opening the context menu). Fortunately in this case you |
| 25 |
>> > only |
| 26 |
>> > wanted a dropdown in firefox, which isn't implemented like that. |
| 27 |
>> > This popup menu problem is solved with Wayland (most importantly |
| 28 |
>> > the |
| 29 |
>> > not screenlocking aspect of it), but so is the root window security |
| 30 |
>> > hole, so the compositor/WM needs to take the screenshot and tools |
| 31 |
>> > like |
| 32 |
>> > import/scrot won't work. |
| 33 |
>> > |
| 34 |
>> |
| 35 |
>> I'm not really sure it is fair to call that a security problem. It's |
| 36 |
>> intentional, and that is because there are plenty of things that need |
| 37 |
>> access to the whole desktop at once. E.g. automating anything that |
| 38 |
>> doesn't expose a development API or have an accessibility API can |
| 39 |
>> pretty much only be done by scraping the contents of the screen - |
| 40 |
>> these programs simply don't work in Wayland? That seems like a |
| 41 |
>> misfeature. |
| 42 |
> |
| 43 |
> I'm calling things as they are. |
| 44 |
> It is intentional only to the point of it not having been a concern |
| 45 |
> back in the 1980s during X11 protocol designing. |
| 46 |
> |
| 47 |
> Any program running under the user can see the whole contents of their |
| 48 |
> screen - not just their own; that's how these screenshotters work too, |
| 49 |
> but it's easy to think of more nefarious use cases. |
| 50 |
> |
| 51 |
> Any program running under the user can listen to all key events meant |
| 52 |
> for any other X application - that's how global shortcuts from random |
| 53 |
> daemons or whatnot work (instead of DE provided hooks). It is trivial |
| 54 |
> to write a key snooper. |
| 55 |
> |
| 56 |
|
| 57 |
This is true but they are shared resources. You can add some hoops to |
| 58 |
jump through but there will always be a shortcut that makes the |
| 59 |
security system irrelevant as long as there is a user sitting down in |
| 60 |
front of the computer running more than one process. |
| 61 |
|
| 62 |
> Now yes, this is local issues, so hopefully you are good on remote |
| 63 |
> access issues, but if not, it might be game over for your terminal |
| 64 |
> entered ssh passwords or whatever. There exist some mitigation |
| 65 |
> techniques in the form of some non-standard X modules and other means, |
| 66 |
> but they are usually not used and also can break such non-nefarious |
| 67 |
> tools that make use of these aspects. |
| 68 |
> Due to it being local (unless you for some reason enable TCP for X.org |
| 69 |
> or something...) you can probably not worry about it too much, but it |
| 70 |
> doesn't change the fact that they are security issues to the core of |
| 71 |
> X.org, carried over from the 1980s. |
| 72 |
> |
| 73 |
|
| 74 |
Again, you're baselessly calling these things security issues. That I |
| 75 |
can see the entire screen or receive all key events is simply |
| 76 |
necessary for a desktop to exist as people want to use it. You can add |
| 77 |
restrictions that might affect newly launched programs but can have |
| 78 |
more permissive settings configured for known programs, but this is |
| 79 |
getting close to something like SELinux, which already exists, and |
| 80 |
which people don't want to use because it is annoying. |
| 81 |
|
| 82 |
If this is a security problem then the fact that process isolation |
| 83 |
within a user ID pretty much does not exist is also a security problem |
| 84 |
and a far bigger one that makes anything you might want to do |
| 85 |
pointless. Any process running as you can just read and write |
| 86 |
/proc/<pid> files or use ptrace to modify the state of another program |
| 87 |
you are running. I don't need to see all key events to get your |
| 88 |
password. |
| 89 |
|
| 90 |
Every process is effectively running as the most privileged process |
| 91 |
being run by the user who owns it. If you have a terminal open |
| 92 |
somewhere that has a root login I could eventually synthesize |
| 93 |
keystrokes to that process and run whatever I wanted to run. Do you |
| 94 |
want to avoid this? Congratulations, you've invented mandatory access |
| 95 |
control! |
| 96 |
|
| 97 |
> |
| 98 |
> To solve these things in Wayland, there are cross-desktop protocols |
| 99 |
> being specified to achieve these in a more arbitrated, correct and |
| 100 |
> secure manner. There is proper isolation between applications. |
| 101 |
> |
| 102 |
|
| 103 |
Do you have a link to this? How are they different from X's protocols? |
| 104 |
What about programs associated with the same Wayland session? A lot of |
| 105 |
potential "fixes" actually don't accomplish anything and just make the |
| 106 |
system harder to use. |
| 107 |
|
| 108 |
On Linux there really is no problem, because the display daemon is |
| 109 |
separate from the kernel and from any normal user. That gives you as |
| 110 |
much compartmentalization as you're going to get without modifying how |
| 111 |
the kernel manages processes or installing a mandatory access control |
| 112 |
system. |
| 113 |
|
| 114 |
|
| 115 |
I think I should provide something to contrast the current state of X11/Wayland: |
| 116 |
|
| 117 |
Windows had a terrible security issue stemming from daemon programs |
| 118 |
being run in the equivalent of the same X11 session as the one used to |
| 119 |
serve the user. There is a kernel space memory sharing IPC mechanism |
| 120 |
based on window messages (like X11 events) that handles user input but |
| 121 |
also some OS facilities because it's already in kernel space and can |
| 122 |
access those things. The desktop session is the memory boundary in the |
| 123 |
kernel for this IPC mechanism, so as daemons were run in the same |
| 124 |
desktop as the user, I could post WM_TIMER to a system process and |
| 125 |
supply code to be run when the timer expires, and have an asynchronous |
| 126 |
procedure call be dispatched to the system process to run my code. |
| 127 |
|
| 128 |
Microsoft responded that this was intended. In a sense they're not |
| 129 |
actually wrong - it is next to impossible to prevent behavior like |
| 130 |
this considering what a desktop is trying to be conceptually and they |
| 131 |
published an advisory warning that every process in a desktop is |
| 132 |
actually running as the most privileged process in that desktop. The |
| 133 |
solution was to not run daemons in the same place that untrusted code |
| 134 |
would be running: |
| 135 |
https://msdn.microsoft.com/en-us/library/windows/hardware/dn653293(v=vs.85).aspx. |
| 136 |
|
| 137 |
It's also very poorly documented (fortunately) but it is actually |
| 138 |
possible to have a Windows driver create a GUI directly. They made |
| 139 |
this harder to do despite no public instances of it ever being done. |
| 140 |
|
| 141 |
|
| 142 |
If you can't find similar design choices in Linux/X11/Wayland, that |
| 143 |
means they're doing far better than average. Last I checked, sshd has |
| 144 |
no presence on my desktop. |
| 145 |
|
| 146 |
R0b0t1. |
Archives