Migration of windows between displays
Perry Lorier
perry at coders.net
Thu Nov 11 23:19:49 EET 2004
Jim Gettys wrote:
> Phil Blundell has done this on the iPAQ (migrating from a small screen
> to a workstation).
Neat!
> The big issue is making sure applications can't be easily hijacked; some
> sort of authentication mechanism is required to ensure that doesn't
> happen.
What is the threat model here? Presumably if they can write properties
onto a window the attacker can range from being a real nuisance
(minimizing windows etc), through to doing outright damage (eg sending
synthesized events to the window getting it to quit without saving, or
deleting files for example). Is this the right level of abstraction to
place security? If hostile users have access to the display then
perhaps there should be another X Extension that should deal with what
they can/can't do, perhaps providing ACL's per property if necessary?
I must admit I don't really understand X's internal security mechanisms
other than I need a magic cookie to connect to a display, and newer
versions of ssh have some kind of "insecure x forwarding" mode that
seems to break some applications.
What kind of security is necessary? If not everyone who has permission
to access the display doesn't have the necessary permission to ask an
application to move displays, who does? Is strong crypto necessary (can
the wire be sniffed/MiTM?) or even usable? (do IPaq's have enough
processing power to not introduce heaps of latency when moving large
numbers of windows around?) is a simple cookie instead appropriate?
> So yes, we need a standard in this area, and we also need to worry about
> the security consequences.
>
> There is other implementation work to fully flesh out this vision:
> a) right now, gtk can't quite remove itself entirely from the
> display; some more work is needed there.
Hmm, irritating :) Maybe I'll have to start looking deeper into how gtk
works.
> b) Xlib needs some work to allow applications to be notified if
> their display connection fails. I did some work here a year
> ago, but haven't had time to complete it since, due to all
> the XFree86/X.org upheavals and subsequent transition.
and maybe xlib too :) (I was so hoping to avoid learning how xlib works :)
> c) we need to deal with the security issues that this
> capability raises.
See above :)
More information about the xdg
mailing list