On Mon, 22 Oct 2012, Julian <tempura@internode.on.net> wrote:
Do I trust any and all of the x applications I run? Thanks for the software, but I don't sorry. I'm not impressed by this at all and I'm ashamed I never new about it. I honestly thought there was some level of isolation, but there appears to be none. [...] Remember this has nothing to do with xauth or xhost. This is a feature of a single displayed instance of X. Login to your bank, paypal, su as root, whatever and hope xeyes isn't logging your keystokes or run xinput and watch it for yourself.
Xephyr is the way to run untrusted X apps. They don't have to be run in a virtual machine, a different UID and/or SE Linux security context will do if you trust your kernel not to have local vulnerabilities. If you don't trust your kernel then by running a virtual machine you trust the VM system and the CPU both of which have the potential for bugs (and have had bugs in the past). You can use a separate PC for running untrusted apps, but then you have the issue of whether Xephyr is secure enough. Basically Xephyr is a program that creates a single window of a specified resolution on your X session and exports X access to that. So you can have a basic TWM setup (for a simple program) or a KDE or GNOME session in the virtual X environment. Below is one of the scripts I use for Xephyr. Note that it's using unencrypted X over the LAN. $ cat xe-basic #!/bin/sh IP=10.1.2.3 if [ "$XCMD" = "" ]; then XCMD=twm fi COOKIE=`mcookie` FILE=~/.XSauth-1 rm -f $FILE #echo $COOKIE HOST=$1 shift ssh $HOST "echo \"add $IP:1 . $COOKIE\" | xauth" echo "add :1 . $COOKIE" | xauth -f $FILE Xephyr :1 -auth $FILE -reset -terminate $* & #Xephyr :1 -auth $FILE $* & #DISPLAY=$IP:1 ssh $HOST twm ssh $HOST "DISPLAY=$IP:1 $XCMD" wait Here is one that tunnels all X over ssh: $ cat xe-enc-basic #!/bin/sh if [ "$XCMD" = "" ]; then XCMD=twm fi COOKIE=`mcookie` FILE=~/.XSauth-1 rm -f $FILE HOST=$1 shift ssh $HOST "echo \"add $IP:1 . $COOKIE\" | xauth" echo "add :1 . $COOKIE" | xauth -f $FILE echo "add :1 . $COOKIE" | xauth Xephyr :1 -auth $FILE -reset -terminate $* & DISPLAY=:1 ssh -C -Y $HOST "$XCMD" wait -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/