Migration of windows between displays

Perry Lorier perry at coders.net
Thu Nov 11 23:19:49 EET 2004 

Jim Gettys wrote:
> Phil Blundell has done this on the iPAQ (migrating from a small screen
> to a workstation).

Neat!

> The big issue is making sure applications can't be easily hijacked; some
> sort of authentication mechanism is required to ensure that doesn't
> happen.

What is the threat model here?  Presumably if they can write properties 
onto a window the attacker can range from being a real nuisance 
(minimizing windows etc), through to doing outright damage (eg sending 
synthesized events to the window getting it to quit without saving, or 
deleting files for example).  Is this the right level of abstraction to 
place security?  If hostile users have access to the display then 
perhaps there should be another X Extension that should deal with what 
they can/can't do, perhaps providing ACL's per property if necessary?

I must admit I don't really understand X's internal security mechanisms 
other than I need a magic cookie to connect to a display, and newer 
versions of ssh have some kind of "insecure x forwarding" mode that 
seems to break some applications.

What kind of security is necessary?  If not everyone who has permission 
to access the display doesn't have the necessary permission to ask an 
application to move displays, who does?  Is strong crypto necessary (can 
the wire be sniffed/MiTM?) or even usable? (do IPaq's have enough 
processing power to not introduce heaps of latency when moving large 
numbers of windows around?) is a simple cookie instead appropriate?

> So yes, we need a standard in this area, and we also need to worry about
> the security consequences.
> 
> There is other implementation work to fully flesh out this vision:
> 	a) right now, gtk can't quite remove itself entirely from the
> 	   display; some more work is needed there.

Hmm, irritating :)  Maybe I'll have to start looking deeper into how gtk 
works.

> 	b) Xlib needs some work to allow applications to be notified if
> 	   their display connection fails.  I did some work here a year
> 	   ago, but haven't had time to complete it since, due to all
> 	   the XFree86/X.org upheavals and subsequent transition.

and maybe xlib too :)  (I was so hoping to avoid learning how xlib works :)

> 	c) we need to deal with the security issues that this
> 	   capability raises.

See above :)

More information about the xdg mailing list