Restrict clipboard for untrusted X11 clients

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite
1












I've came across this blog https://notehub.org/rp5n2 which describes a way to make certain X11 clients untrusted[1], which makes certain X11 extensions unavailable to them. Note that I know perfectly well that this alone is worthless unless I also use UID separation, which I do. I use xsudo[2] to run crapware.



However, even with untrusted connection, clients can still monitor the clipboard. If the user is crapware, programs running under its account can still monitor the primary selection. Just try:



watch -n0.5 xsudo crapware xclip -o 


The security extensions is definitely useful as it prevents untrusted X11 clients to log keyboard or simulate keypresses but sniffing on clipboard is a weakness. How can I prevent sharing clipboard with untrusted X11 clients by default?



I'm not interested in things like firejail. I don't care about namespaces. UNIX user separation is all I need. I also would like to avoid Xpra. It's way way waaay too slow compared to clients directly connected to X11. You can really notice the lag when typing.



[1] https://www.x.org/releases/X11R7.6/doc/xextproto/security.html



[2]



#!/bin/zsh
set -e

# Copied from https://notehub.org/rp5n2

if [[ $# -lt 1 ]]; then
echo "Usage: $0 asuser [cmdline...]" >&2
exit 1
fi

asuser=$1
shift

if [[ -z $DISPLAY ]]; then
echo "DISPLAY is not set" >&2
exit 1
fi

cookie=/tmp/.Xauthority-$DISPLAY-$asuser

if [[ ! -e $cookie ]]; then
touch $cookie
chmod 600 $cookie
xauth -f $cookie generate $DISPLAY MIT-MAGIC-COOKIE-1 untrusted
sudo chgrp $asuser $cookie
chmod 660 $cookie
fi

export XAUTHORITY=$cookie

if [[ $# -gt 0 ]]; then
exec sudo -u $asuser "$@"
else
exec sudo -u $asuser -i
fi






share|improve this question


























    up vote
    2
    down vote

    favorite
    1












    I've came across this blog https://notehub.org/rp5n2 which describes a way to make certain X11 clients untrusted[1], which makes certain X11 extensions unavailable to them. Note that I know perfectly well that this alone is worthless unless I also use UID separation, which I do. I use xsudo[2] to run crapware.



    However, even with untrusted connection, clients can still monitor the clipboard. If the user is crapware, programs running under its account can still monitor the primary selection. Just try:



    watch -n0.5 xsudo crapware xclip -o 


    The security extensions is definitely useful as it prevents untrusted X11 clients to log keyboard or simulate keypresses but sniffing on clipboard is a weakness. How can I prevent sharing clipboard with untrusted X11 clients by default?



    I'm not interested in things like firejail. I don't care about namespaces. UNIX user separation is all I need. I also would like to avoid Xpra. It's way way waaay too slow compared to clients directly connected to X11. You can really notice the lag when typing.



    [1] https://www.x.org/releases/X11R7.6/doc/xextproto/security.html



    [2]



    #!/bin/zsh
    set -e

    # Copied from https://notehub.org/rp5n2

    if [[ $# -lt 1 ]]; then
    echo "Usage: $0 asuser [cmdline...]" >&2
    exit 1
    fi

    asuser=$1
    shift

    if [[ -z $DISPLAY ]]; then
    echo "DISPLAY is not set" >&2
    exit 1
    fi

    cookie=/tmp/.Xauthority-$DISPLAY-$asuser

    if [[ ! -e $cookie ]]; then
    touch $cookie
    chmod 600 $cookie
    xauth -f $cookie generate $DISPLAY MIT-MAGIC-COOKIE-1 untrusted
    sudo chgrp $asuser $cookie
    chmod 660 $cookie
    fi

    export XAUTHORITY=$cookie

    if [[ $# -gt 0 ]]; then
    exec sudo -u $asuser "$@"
    else
    exec sudo -u $asuser -i
    fi






    share|improve this question
























      up vote
      2
      down vote

      favorite
      1









      up vote
      2
      down vote

      favorite
      1






      1





      I've came across this blog https://notehub.org/rp5n2 which describes a way to make certain X11 clients untrusted[1], which makes certain X11 extensions unavailable to them. Note that I know perfectly well that this alone is worthless unless I also use UID separation, which I do. I use xsudo[2] to run crapware.



      However, even with untrusted connection, clients can still monitor the clipboard. If the user is crapware, programs running under its account can still monitor the primary selection. Just try:



      watch -n0.5 xsudo crapware xclip -o 


      The security extensions is definitely useful as it prevents untrusted X11 clients to log keyboard or simulate keypresses but sniffing on clipboard is a weakness. How can I prevent sharing clipboard with untrusted X11 clients by default?



      I'm not interested in things like firejail. I don't care about namespaces. UNIX user separation is all I need. I also would like to avoid Xpra. It's way way waaay too slow compared to clients directly connected to X11. You can really notice the lag when typing.



      [1] https://www.x.org/releases/X11R7.6/doc/xextproto/security.html



      [2]



      #!/bin/zsh
      set -e

      # Copied from https://notehub.org/rp5n2

      if [[ $# -lt 1 ]]; then
      echo "Usage: $0 asuser [cmdline...]" >&2
      exit 1
      fi

      asuser=$1
      shift

      if [[ -z $DISPLAY ]]; then
      echo "DISPLAY is not set" >&2
      exit 1
      fi

      cookie=/tmp/.Xauthority-$DISPLAY-$asuser

      if [[ ! -e $cookie ]]; then
      touch $cookie
      chmod 600 $cookie
      xauth -f $cookie generate $DISPLAY MIT-MAGIC-COOKIE-1 untrusted
      sudo chgrp $asuser $cookie
      chmod 660 $cookie
      fi

      export XAUTHORITY=$cookie

      if [[ $# -gt 0 ]]; then
      exec sudo -u $asuser "$@"
      else
      exec sudo -u $asuser -i
      fi






      share|improve this question














      I've came across this blog https://notehub.org/rp5n2 which describes a way to make certain X11 clients untrusted[1], which makes certain X11 extensions unavailable to them. Note that I know perfectly well that this alone is worthless unless I also use UID separation, which I do. I use xsudo[2] to run crapware.



      However, even with untrusted connection, clients can still monitor the clipboard. If the user is crapware, programs running under its account can still monitor the primary selection. Just try:



      watch -n0.5 xsudo crapware xclip -o 


      The security extensions is definitely useful as it prevents untrusted X11 clients to log keyboard or simulate keypresses but sniffing on clipboard is a weakness. How can I prevent sharing clipboard with untrusted X11 clients by default?



      I'm not interested in things like firejail. I don't care about namespaces. UNIX user separation is all I need. I also would like to avoid Xpra. It's way way waaay too slow compared to clients directly connected to X11. You can really notice the lag when typing.



      [1] https://www.x.org/releases/X11R7.6/doc/xextproto/security.html



      [2]



      #!/bin/zsh
      set -e

      # Copied from https://notehub.org/rp5n2

      if [[ $# -lt 1 ]]; then
      echo "Usage: $0 asuser [cmdline...]" >&2
      exit 1
      fi

      asuser=$1
      shift

      if [[ -z $DISPLAY ]]; then
      echo "DISPLAY is not set" >&2
      exit 1
      fi

      cookie=/tmp/.Xauthority-$DISPLAY-$asuser

      if [[ ! -e $cookie ]]; then
      touch $cookie
      chmod 600 $cookie
      xauth -f $cookie generate $DISPLAY MIT-MAGIC-COOKIE-1 untrusted
      sudo chgrp $asuser $cookie
      chmod 660 $cookie
      fi

      export XAUTHORITY=$cookie

      if [[ $# -gt 0 ]]; then
      exec sudo -u $asuser "$@"
      else
      exec sudo -u $asuser -i
      fi








      share|improve this question













      share|improve this question




      share|improve this question








      edited Feb 1 at 13:32

























      asked Feb 1 at 11:31









      woky

      22216




      22216




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote













          You can use nested X server nxagent instead of xpra, it is way faster for local setups.



          nxagent provides a seamless mode for single apps, too. It is a bit itchy to set it up in seamless mode and without clipboard and with its own Xauthority cookie. You can use x11docker for easy usage:



          x11docker --nxagent --exe -- yourapplication


          or short:



          x11docker -ne yourapplication


          To run as another user:



          sudo x11docker --user someuser -ne -- yourapplication


          To allow clipboard sharing, add x11docker option --clipboard. nxagent allows it per default, but x11docker disables it unless specified.



          If you need hardware acceleration, install xpra, Xwayland,weston and xdotool and run



          sudo x11docker --user someuser --xpra-xwayland --exe -- yourapplication



          Setup with nxagent only and without a cookie for clients:



          echo "nx/nx,clipboard=none:25" >/tmp/nxoptions
          nxagent :25 -R -nolisten tcp -options /tmp/nxoptions
          sudo -u someuser env DISPLAY=:25 yourapplication


          This works with US keyboard only. To get another keyboard layout, change /tmp/nxoptions. For german keyboard layout:



          echo "nx/nx,clipboard=none,keyboard=evdev/de:25" >/tmp/nxoptions



          Another possibility is to use Xephyr as nested X server. But it does not provide a seamless mode.



          Xephyr :10
          sudo -u someuser env DISPLAY=:10 openbox # provide a window manager
          sudo -u someuser env DISPLAY=:10 someapplication


          For hardware acceleration with Xephyr you can use virtualgl. (But may be a bit tricky with a different user as virtualgl/vglrun needs access to display :0).






          share|improve this answer






















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );








             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f421184%2frestrict-clipboard-for-untrusted-x11-clients%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            1
            down vote













            You can use nested X server nxagent instead of xpra, it is way faster for local setups.



            nxagent provides a seamless mode for single apps, too. It is a bit itchy to set it up in seamless mode and without clipboard and with its own Xauthority cookie. You can use x11docker for easy usage:



            x11docker --nxagent --exe -- yourapplication


            or short:



            x11docker -ne yourapplication


            To run as another user:



            sudo x11docker --user someuser -ne -- yourapplication


            To allow clipboard sharing, add x11docker option --clipboard. nxagent allows it per default, but x11docker disables it unless specified.



            If you need hardware acceleration, install xpra, Xwayland,weston and xdotool and run



            sudo x11docker --user someuser --xpra-xwayland --exe -- yourapplication



            Setup with nxagent only and without a cookie for clients:



            echo "nx/nx,clipboard=none:25" >/tmp/nxoptions
            nxagent :25 -R -nolisten tcp -options /tmp/nxoptions
            sudo -u someuser env DISPLAY=:25 yourapplication


            This works with US keyboard only. To get another keyboard layout, change /tmp/nxoptions. For german keyboard layout:



            echo "nx/nx,clipboard=none,keyboard=evdev/de:25" >/tmp/nxoptions



            Another possibility is to use Xephyr as nested X server. But it does not provide a seamless mode.



            Xephyr :10
            sudo -u someuser env DISPLAY=:10 openbox # provide a window manager
            sudo -u someuser env DISPLAY=:10 someapplication


            For hardware acceleration with Xephyr you can use virtualgl. (But may be a bit tricky with a different user as virtualgl/vglrun needs access to display :0).






            share|improve this answer


























              up vote
              1
              down vote













              You can use nested X server nxagent instead of xpra, it is way faster for local setups.



              nxagent provides a seamless mode for single apps, too. It is a bit itchy to set it up in seamless mode and without clipboard and with its own Xauthority cookie. You can use x11docker for easy usage:



              x11docker --nxagent --exe -- yourapplication


              or short:



              x11docker -ne yourapplication


              To run as another user:



              sudo x11docker --user someuser -ne -- yourapplication


              To allow clipboard sharing, add x11docker option --clipboard. nxagent allows it per default, but x11docker disables it unless specified.



              If you need hardware acceleration, install xpra, Xwayland,weston and xdotool and run



              sudo x11docker --user someuser --xpra-xwayland --exe -- yourapplication



              Setup with nxagent only and without a cookie for clients:



              echo "nx/nx,clipboard=none:25" >/tmp/nxoptions
              nxagent :25 -R -nolisten tcp -options /tmp/nxoptions
              sudo -u someuser env DISPLAY=:25 yourapplication


              This works with US keyboard only. To get another keyboard layout, change /tmp/nxoptions. For german keyboard layout:



              echo "nx/nx,clipboard=none,keyboard=evdev/de:25" >/tmp/nxoptions



              Another possibility is to use Xephyr as nested X server. But it does not provide a seamless mode.



              Xephyr :10
              sudo -u someuser env DISPLAY=:10 openbox # provide a window manager
              sudo -u someuser env DISPLAY=:10 someapplication


              For hardware acceleration with Xephyr you can use virtualgl. (But may be a bit tricky with a different user as virtualgl/vglrun needs access to display :0).






              share|improve this answer
























                up vote
                1
                down vote










                up vote
                1
                down vote









                You can use nested X server nxagent instead of xpra, it is way faster for local setups.



                nxagent provides a seamless mode for single apps, too. It is a bit itchy to set it up in seamless mode and without clipboard and with its own Xauthority cookie. You can use x11docker for easy usage:



                x11docker --nxagent --exe -- yourapplication


                or short:



                x11docker -ne yourapplication


                To run as another user:



                sudo x11docker --user someuser -ne -- yourapplication


                To allow clipboard sharing, add x11docker option --clipboard. nxagent allows it per default, but x11docker disables it unless specified.



                If you need hardware acceleration, install xpra, Xwayland,weston and xdotool and run



                sudo x11docker --user someuser --xpra-xwayland --exe -- yourapplication



                Setup with nxagent only and without a cookie for clients:



                echo "nx/nx,clipboard=none:25" >/tmp/nxoptions
                nxagent :25 -R -nolisten tcp -options /tmp/nxoptions
                sudo -u someuser env DISPLAY=:25 yourapplication


                This works with US keyboard only. To get another keyboard layout, change /tmp/nxoptions. For german keyboard layout:



                echo "nx/nx,clipboard=none,keyboard=evdev/de:25" >/tmp/nxoptions



                Another possibility is to use Xephyr as nested X server. But it does not provide a seamless mode.



                Xephyr :10
                sudo -u someuser env DISPLAY=:10 openbox # provide a window manager
                sudo -u someuser env DISPLAY=:10 someapplication


                For hardware acceleration with Xephyr you can use virtualgl. (But may be a bit tricky with a different user as virtualgl/vglrun needs access to display :0).






                share|improve this answer














                You can use nested X server nxagent instead of xpra, it is way faster for local setups.



                nxagent provides a seamless mode for single apps, too. It is a bit itchy to set it up in seamless mode and without clipboard and with its own Xauthority cookie. You can use x11docker for easy usage:



                x11docker --nxagent --exe -- yourapplication


                or short:



                x11docker -ne yourapplication


                To run as another user:



                sudo x11docker --user someuser -ne -- yourapplication


                To allow clipboard sharing, add x11docker option --clipboard. nxagent allows it per default, but x11docker disables it unless specified.



                If you need hardware acceleration, install xpra, Xwayland,weston and xdotool and run



                sudo x11docker --user someuser --xpra-xwayland --exe -- yourapplication



                Setup with nxagent only and without a cookie for clients:



                echo "nx/nx,clipboard=none:25" >/tmp/nxoptions
                nxagent :25 -R -nolisten tcp -options /tmp/nxoptions
                sudo -u someuser env DISPLAY=:25 yourapplication


                This works with US keyboard only. To get another keyboard layout, change /tmp/nxoptions. For german keyboard layout:



                echo "nx/nx,clipboard=none,keyboard=evdev/de:25" >/tmp/nxoptions



                Another possibility is to use Xephyr as nested X server. But it does not provide a seamless mode.



                Xephyr :10
                sudo -u someuser env DISPLAY=:10 openbox # provide a window manager
                sudo -u someuser env DISPLAY=:10 someapplication


                For hardware acceleration with Xephyr you can use virtualgl. (But may be a bit tricky with a different user as virtualgl/vglrun needs access to display :0).







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Feb 3 at 3:06

























                answered Feb 2 at 20:33









                mviereck

                1,1171410




                1,1171410






















                     

                    draft saved


                    draft discarded


























                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f421184%2frestrict-clipboard-for-untrusted-x11-clients%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?