mjhjmtu

I've came across this blog https://notehub.org/rp5n2 which describes a way to make certain X11 clients untrusted[1], which makes certain X11 extensions unavailable to them. Note that I know perfectly well that this alone is worthless unless I also use UID separation, which I do. I use xsudo[2] to run crapware.

However, even with untrusted connection, clients can still monitor the clipboard. If the user is crapware, programs running under its account can still monitor the primary selection. Just try:

watch -n0.5 xsudo crapware xclip -o 

The security extensions is definitely useful as it prevents untrusted X11 clients to log keyboard or simulate keypresses but sniffing on clipboard is a weakness. How can I prevent sharing clipboard with untrusted X11 clients by default?

I'm not interested in things like firejail. I don't care about namespaces. UNIX user separation is all I need. I also would like to avoid Xpra. It's way way waaay too slow compared to clients directly connected to X11. You can really notice the lag when typing.

[1] https://www.x.org/releases/X11R7.6/doc/xextproto/security.html

[2]

#!/bin/zsh
set -e

# Copied from https://notehub.org/rp5n2

if [[ $# -lt 1 ]]; then
 echo "Usage: $0 asuser [cmdline...]" >&2
 exit 1
fi

asuser=$1
shift

if [[ -z $DISPLAY ]]; then
 echo "DISPLAY is not set" >&2
 exit 1
fi

cookie=/tmp/.Xauthority-$DISPLAY-$asuser

if [[ ! -e $cookie ]]; then
 touch $cookie
 chmod 600 $cookie
 xauth -f $cookie generate $DISPLAY MIT-MAGIC-COOKIE-1 untrusted
 sudo chgrp $asuser $cookie
 chmod 660 $cookie
fi

export XAUTHORITY=$cookie

if [[ $# -gt 0 ]]; then
 exec sudo -u $asuser "$@"
else
 exec sudo -u $asuser -i
fi

You can use nested X server nxagent instead of xpra, it is way faster for local setups.

nxagent provides a seamless mode for single apps, too. It is a bit itchy to set it up in seamless mode and without clipboard and with its own Xauthority cookie. You can use x11docker for easy usage:

x11docker --nxagent --exe -- yourapplication

or short:

x11docker -ne yourapplication

To run as another user:

sudo x11docker --user someuser -ne -- yourapplication

To allow clipboard sharing, add x11docker option --clipboard. nxagent allows it per default, but x11docker disables it unless specified.

If you need hardware acceleration, install xpra, Xwayland,weston and xdotool and run

sudo x11docker --user someuser --xpra-xwayland --exe -- yourapplication

Setup with nxagent only and without a cookie for clients:

echo "nx/nx,clipboard=none:25" >/tmp/nxoptions
nxagent :25 -R -nolisten tcp -options /tmp/nxoptions
sudo -u someuser env DISPLAY=:25 yourapplication

This works with US keyboard only. To get another keyboard layout, change /tmp/nxoptions. For german keyboard layout:

echo "nx/nx,clipboard=none,keyboard=evdev/de:25" >/tmp/nxoptions

Another possibility is to use Xephyr as nested X server. But it does not provide a seamless mode.

Xephyr :10
sudo -u someuser env DISPLAY=:10 openbox # provide a window manager
sudo -u someuser env DISPLAY=:10 someapplication

For hardware acceleration with Xephyr you can use virtualgl. (But may be a bit tricky with a different user as virtualgl/vglrun needs access to display :0).