Questions about the SECURITY extension, and X security generally
Chris Palmer
chris at noncombatant.org
Sun Dec 21 15:23:41 PST 2008
Hello everyone,
I want to enjoy the benefits of the X SECURITY extension, such as with
OpenSSH's -X (vs. -Y) option. I have read Alan Coopersmith's slide deck, for
example, which promises good things:
http://people.freedesktop.org/~alanc/ddc-2006.pdf
I have also read the X Security Extension Specification:
http://www.xfree86.org/current/security.pdf
I want to be able to stop X clients running on remote servers from being
able to e.g. take a screenshot of other (local client) windows or log
keystrokes intended for other (local) clients. Unless I'm confused (again!
it keeps happening...), Coopersmith's slides seem to say that this is
possible.
As far as I can tell, I do have the SECURITY extension, and I even use a
more restrictive security policy file than the default. I start X by saying
"startx -- +extension SECURITY -sp .x-security-policy -audit 4". (My
platform is FreeBSD 7, btw. I have also tested, less rigorously, with Ubuntu
8 and have had the same results.)
Using a dumb keylogger I wrote (my first raw X program) and scrot, I can
read all keystrokes and take a screenshot of the whole screen, from a remote
machine that I connected to with "ssh -X".
I have searched the xdg archives, but there does not seem to have been any
discussion of the SECURITY extension.
Can anyone provide any clues? "What you want is not possible", "Post to a
different mailing list", or similar is also helpful. Anything is helpful,
really...
Thanks!
More information about the xdg
mailing list