1 |
On Sat, Jul 29, 2017 at 1:17 PM, Mart Raudsepp <leio@g.o> wrote: |
2 |
> Ühel kenal päeval, L, 29.07.2017 kell 12:58, kirjutas R0b0t1: |
3 |
>> On Sat, Jul 29, 2017 at 11:17 AM, Mart Raudsepp <leio@g.o> |
4 |
>> wrote: |
5 |
>> > Ühel kenal päeval, L, 29.07.2017 kell 13:20, kirjutas tuxic@posteo. |
6 |
>> > de: |
7 |
>> > > The task is already accomplished :) with a mixture of WM-based |
8 |
>> > > hotkey definitions and a delayed commandline utility (main,scrot, |
9 |
>> > > imagemagick). |
10 |
>> > > Addtionally I dont think that my X11 uses framebuffer (not shure |
11 |
>> > > about that, though)... |
12 |
>> > |
13 |
>> > Those tools work by using an inherent X11 security hole by reading |
14 |
>> > out |
15 |
>> > the root window, it's not relevant to framebuffer in the kernel |
16 |
>> > sense. |
17 |
>> > |
18 |
>> > Note that you can't use a global shortcut key in X11 while a |
19 |
>> > typical |
20 |
>> > right click context menu is open, because these take a X11 grab and |
21 |
>> > even screen lock can't activate.. Then only the delay approach will |
22 |
>> > work (if desired then together with a shortcut if the shortcut key |
23 |
>> > is |
24 |
>> > hit before opening the context menu). Fortunately in this case you |
25 |
>> > only |
26 |
>> > wanted a dropdown in firefox, which isn't implemented like that. |
27 |
>> > This popup menu problem is solved with Wayland (most importantly |
28 |
>> > the |
29 |
>> > not screenlocking aspect of it), but so is the root window security |
30 |
>> > hole, so the compositor/WM needs to take the screenshot and tools |
31 |
>> > like |
32 |
>> > import/scrot won't work. |
33 |
>> > |
34 |
>> |
35 |
>> I'm not really sure it is fair to call that a security problem. It's |
36 |
>> intentional, and that is because there are plenty of things that need |
37 |
>> access to the whole desktop at once. E.g. automating anything that |
38 |
>> doesn't expose a development API or have an accessibility API can |
39 |
>> pretty much only be done by scraping the contents of the screen - |
40 |
>> these programs simply don't work in Wayland? That seems like a |
41 |
>> misfeature. |
42 |
> |
43 |
> I'm calling things as they are. |
44 |
> It is intentional only to the point of it not having been a concern |
45 |
> back in the 1980s during X11 protocol designing. |
46 |
> |
47 |
> Any program running under the user can see the whole contents of their |
48 |
> screen - not just their own; that's how these screenshotters work too, |
49 |
> but it's easy to think of more nefarious use cases. |
50 |
> |
51 |
> Any program running under the user can listen to all key events meant |
52 |
> for any other X application - that's how global shortcuts from random |
53 |
> daemons or whatnot work (instead of DE provided hooks). It is trivial |
54 |
> to write a key snooper. |
55 |
> |
56 |
|
57 |
This is true but they are shared resources. You can add some hoops to |
58 |
jump through but there will always be a shortcut that makes the |
59 |
security system irrelevant as long as there is a user sitting down in |
60 |
front of the computer running more than one process. |
61 |
|
62 |
> Now yes, this is local issues, so hopefully you are good on remote |
63 |
> access issues, but if not, it might be game over for your terminal |
64 |
> entered ssh passwords or whatever. There exist some mitigation |
65 |
> techniques in the form of some non-standard X modules and other means, |
66 |
> but they are usually not used and also can break such non-nefarious |
67 |
> tools that make use of these aspects. |
68 |
> Due to it being local (unless you for some reason enable TCP for X.org |
69 |
> or something...) you can probably not worry about it too much, but it |
70 |
> doesn't change the fact that they are security issues to the core of |
71 |
> X.org, carried over from the 1980s. |
72 |
> |
73 |
|
74 |
Again, you're baselessly calling these things security issues. That I |
75 |
can see the entire screen or receive all key events is simply |
76 |
necessary for a desktop to exist as people want to use it. You can add |
77 |
restrictions that might affect newly launched programs but can have |
78 |
more permissive settings configured for known programs, but this is |
79 |
getting close to something like SELinux, which already exists, and |
80 |
which people don't want to use because it is annoying. |
81 |
|
82 |
If this is a security problem then the fact that process isolation |
83 |
within a user ID pretty much does not exist is also a security problem |
84 |
and a far bigger one that makes anything you might want to do |
85 |
pointless. Any process running as you can just read and write |
86 |
/proc/<pid> files or use ptrace to modify the state of another program |
87 |
you are running. I don't need to see all key events to get your |
88 |
password. |
89 |
|
90 |
Every process is effectively running as the most privileged process |
91 |
being run by the user who owns it. If you have a terminal open |
92 |
somewhere that has a root login I could eventually synthesize |
93 |
keystrokes to that process and run whatever I wanted to run. Do you |
94 |
want to avoid this? Congratulations, you've invented mandatory access |
95 |
control! |
96 |
|
97 |
> |
98 |
> To solve these things in Wayland, there are cross-desktop protocols |
99 |
> being specified to achieve these in a more arbitrated, correct and |
100 |
> secure manner. There is proper isolation between applications. |
101 |
> |
102 |
|
103 |
Do you have a link to this? How are they different from X's protocols? |
104 |
What about programs associated with the same Wayland session? A lot of |
105 |
potential "fixes" actually don't accomplish anything and just make the |
106 |
system harder to use. |
107 |
|
108 |
On Linux there really is no problem, because the display daemon is |
109 |
separate from the kernel and from any normal user. That gives you as |
110 |
much compartmentalization as you're going to get without modifying how |
111 |
the kernel manages processes or installing a mandatory access control |
112 |
system. |
113 |
|
114 |
|
115 |
I think I should provide something to contrast the current state of X11/Wayland: |
116 |
|
117 |
Windows had a terrible security issue stemming from daemon programs |
118 |
being run in the equivalent of the same X11 session as the one used to |
119 |
serve the user. There is a kernel space memory sharing IPC mechanism |
120 |
based on window messages (like X11 events) that handles user input but |
121 |
also some OS facilities because it's already in kernel space and can |
122 |
access those things. The desktop session is the memory boundary in the |
123 |
kernel for this IPC mechanism, so as daemons were run in the same |
124 |
desktop as the user, I could post WM_TIMER to a system process and |
125 |
supply code to be run when the timer expires, and have an asynchronous |
126 |
procedure call be dispatched to the system process to run my code. |
127 |
|
128 |
Microsoft responded that this was intended. In a sense they're not |
129 |
actually wrong - it is next to impossible to prevent behavior like |
130 |
this considering what a desktop is trying to be conceptually and they |
131 |
published an advisory warning that every process in a desktop is |
132 |
actually running as the most privileged process in that desktop. The |
133 |
solution was to not run daemons in the same place that untrusted code |
134 |
would be running: |
135 |
https://msdn.microsoft.com/en-us/library/windows/hardware/dn653293(v=vs.85).aspx. |
136 |
|
137 |
It's also very poorly documented (fortunately) but it is actually |
138 |
possible to have a Windows driver create a GUI directly. They made |
139 |
this harder to do despite no public instances of it ever being done. |
140 |
|
141 |
|
142 |
If you can't find similar design choices in Linux/X11/Wayland, that |
143 |
means they're doing far better than average. Last I checked, sshd has |
144 |
no presence on my desktop. |
145 |
|
146 |
R0b0t1. |