Migration of windows between displays

Matthias Clasen mclasen at redhat.com
Thu Nov 11 23:39:23 EET 2004 

On Thu, 2004-11-11 at 16:19, Perry Lorier wrote:
> Jim Gettys wrote:
> > Phil Blundell has done this on the iPAQ (migrating from a small screen
> > to a workstation).
> 
> Neat!
> 
> > The big issue is making sure applications can't be easily hijacked; some
> > sort of authentication mechanism is required to ensure that doesn't
> > happen.
> 
> What is the threat model here?  Presumably if they can write properties 
> onto a window the attacker can range from being a real nuisance 
> (minimizing windows etc), through to doing outright damage (eg sending 
> synthesized events to the window getting it to quit without saving, or 
> deleting files for example).  Is this the right level of abstraction to 
> place security?  If hostile users have access to the display then 
> perhaps there should be another X Extension that should deal with what 
> they can/can't do, perhaps providing ACL's per property if necessary?
> 
> I must admit I don't really understand X's internal security mechanisms 
> other than I need a magic cookie to connect to a display, and newer 
> versions of ssh have some kind of "insecure x forwarding" mode that 
> seems to break some applications.
> 
> What kind of security is necessary?  If not everyone who has permission 
> to access the display doesn't have the necessary permission to ask an 
> application to move displays, who does?  Is strong crypto necessary (can 
> the wire be sniffed/MiTM?) or even usable? (do IPaq's have enough 
> processing power to not introduce heaps of latency when moving large 
> numbers of windows around?) is a simple cookie instead appropriate?
> 
> > So yes, we need a standard in this area, and we also need to worry about
> > the security consequences.
> > 
> > There is other implementation work to fully flesh out this vision:
> > 	a) right now, gtk can't quite remove itself entirely from the
> > 	   display; some more work is needed there.
> 
> Hmm, irritating :)  Maybe I'll have to start looking deeper into how gtk 
> works.

The problem in GTK+ is that gdk_display_close() doesn't work.

Matthias

More information about the xdg mailing list