Restrict clipboard for untrusted X11 clients
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I've came across this blog https://notehub.org/rp5n2 which describes a way to make certain X11 clients untrusted[1], which makes certain X11 extensions unavailable to them. Note that I know perfectly well that this alone is worthless unless I also use UID separation, which I do. I use xsudo
[2] to run crapware.
However, even with untrusted connection, clients can still monitor the clipboard. If the user is crapware
, programs running under its account can still monitor the primary selection. Just try:
watch -n0.5 xsudo crapware xclip -o
The security extensions is definitely useful as it prevents untrusted X11 clients to log keyboard or simulate keypresses but sniffing on clipboard is a weakness. How can I prevent sharing clipboard with untrusted X11 clients by default?
I'm not interested in things like firejail. I don't care about namespaces. UNIX user separation is all I need. I also would like to avoid Xpra. It's way way waaay too slow compared to clients directly connected to X11. You can really notice the lag when typing.
[1] https://www.x.org/releases/X11R7.6/doc/xextproto/security.html
[2]
#!/bin/zsh
set -e
# Copied from https://notehub.org/rp5n2
if [[ $# -lt 1 ]]; then
echo "Usage: $0 asuser [cmdline...]" >&2
exit 1
fi
asuser=$1
shift
if [[ -z $DISPLAY ]]; then
echo "DISPLAY is not set" >&2
exit 1
fi
cookie=/tmp/.Xauthority-$DISPLAY-$asuser
if [[ ! -e $cookie ]]; then
touch $cookie
chmod 600 $cookie
xauth -f $cookie generate $DISPLAY MIT-MAGIC-COOKIE-1 untrusted
sudo chgrp $asuser $cookie
chmod 660 $cookie
fi
export XAUTHORITY=$cookie
if [[ $# -gt 0 ]]; then
exec sudo -u $asuser "$@"
else
exec sudo -u $asuser -i
fi
x11 security xorg users sandbox
add a comment |Â
up vote
2
down vote
favorite
I've came across this blog https://notehub.org/rp5n2 which describes a way to make certain X11 clients untrusted[1], which makes certain X11 extensions unavailable to them. Note that I know perfectly well that this alone is worthless unless I also use UID separation, which I do. I use xsudo
[2] to run crapware.
However, even with untrusted connection, clients can still monitor the clipboard. If the user is crapware
, programs running under its account can still monitor the primary selection. Just try:
watch -n0.5 xsudo crapware xclip -o
The security extensions is definitely useful as it prevents untrusted X11 clients to log keyboard or simulate keypresses but sniffing on clipboard is a weakness. How can I prevent sharing clipboard with untrusted X11 clients by default?
I'm not interested in things like firejail. I don't care about namespaces. UNIX user separation is all I need. I also would like to avoid Xpra. It's way way waaay too slow compared to clients directly connected to X11. You can really notice the lag when typing.
[1] https://www.x.org/releases/X11R7.6/doc/xextproto/security.html
[2]
#!/bin/zsh
set -e
# Copied from https://notehub.org/rp5n2
if [[ $# -lt 1 ]]; then
echo "Usage: $0 asuser [cmdline...]" >&2
exit 1
fi
asuser=$1
shift
if [[ -z $DISPLAY ]]; then
echo "DISPLAY is not set" >&2
exit 1
fi
cookie=/tmp/.Xauthority-$DISPLAY-$asuser
if [[ ! -e $cookie ]]; then
touch $cookie
chmod 600 $cookie
xauth -f $cookie generate $DISPLAY MIT-MAGIC-COOKIE-1 untrusted
sudo chgrp $asuser $cookie
chmod 660 $cookie
fi
export XAUTHORITY=$cookie
if [[ $# -gt 0 ]]; then
exec sudo -u $asuser "$@"
else
exec sudo -u $asuser -i
fi
x11 security xorg users sandbox
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I've came across this blog https://notehub.org/rp5n2 which describes a way to make certain X11 clients untrusted[1], which makes certain X11 extensions unavailable to them. Note that I know perfectly well that this alone is worthless unless I also use UID separation, which I do. I use xsudo
[2] to run crapware.
However, even with untrusted connection, clients can still monitor the clipboard. If the user is crapware
, programs running under its account can still monitor the primary selection. Just try:
watch -n0.5 xsudo crapware xclip -o
The security extensions is definitely useful as it prevents untrusted X11 clients to log keyboard or simulate keypresses but sniffing on clipboard is a weakness. How can I prevent sharing clipboard with untrusted X11 clients by default?
I'm not interested in things like firejail. I don't care about namespaces. UNIX user separation is all I need. I also would like to avoid Xpra. It's way way waaay too slow compared to clients directly connected to X11. You can really notice the lag when typing.
[1] https://www.x.org/releases/X11R7.6/doc/xextproto/security.html
[2]
#!/bin/zsh
set -e
# Copied from https://notehub.org/rp5n2
if [[ $# -lt 1 ]]; then
echo "Usage: $0 asuser [cmdline...]" >&2
exit 1
fi
asuser=$1
shift
if [[ -z $DISPLAY ]]; then
echo "DISPLAY is not set" >&2
exit 1
fi
cookie=/tmp/.Xauthority-$DISPLAY-$asuser
if [[ ! -e $cookie ]]; then
touch $cookie
chmod 600 $cookie
xauth -f $cookie generate $DISPLAY MIT-MAGIC-COOKIE-1 untrusted
sudo chgrp $asuser $cookie
chmod 660 $cookie
fi
export XAUTHORITY=$cookie
if [[ $# -gt 0 ]]; then
exec sudo -u $asuser "$@"
else
exec sudo -u $asuser -i
fi
x11 security xorg users sandbox
I've came across this blog https://notehub.org/rp5n2 which describes a way to make certain X11 clients untrusted[1], which makes certain X11 extensions unavailable to them. Note that I know perfectly well that this alone is worthless unless I also use UID separation, which I do. I use xsudo
[2] to run crapware.
However, even with untrusted connection, clients can still monitor the clipboard. If the user is crapware
, programs running under its account can still monitor the primary selection. Just try:
watch -n0.5 xsudo crapware xclip -o
The security extensions is definitely useful as it prevents untrusted X11 clients to log keyboard or simulate keypresses but sniffing on clipboard is a weakness. How can I prevent sharing clipboard with untrusted X11 clients by default?
I'm not interested in things like firejail. I don't care about namespaces. UNIX user separation is all I need. I also would like to avoid Xpra. It's way way waaay too slow compared to clients directly connected to X11. You can really notice the lag when typing.
[1] https://www.x.org/releases/X11R7.6/doc/xextproto/security.html
[2]
#!/bin/zsh
set -e
# Copied from https://notehub.org/rp5n2
if [[ $# -lt 1 ]]; then
echo "Usage: $0 asuser [cmdline...]" >&2
exit 1
fi
asuser=$1
shift
if [[ -z $DISPLAY ]]; then
echo "DISPLAY is not set" >&2
exit 1
fi
cookie=/tmp/.Xauthority-$DISPLAY-$asuser
if [[ ! -e $cookie ]]; then
touch $cookie
chmod 600 $cookie
xauth -f $cookie generate $DISPLAY MIT-MAGIC-COOKIE-1 untrusted
sudo chgrp $asuser $cookie
chmod 660 $cookie
fi
export XAUTHORITY=$cookie
if [[ $# -gt 0 ]]; then
exec sudo -u $asuser "$@"
else
exec sudo -u $asuser -i
fi
x11 security xorg users sandbox
edited Feb 1 at 13:32
asked Feb 1 at 11:31
woky
22216
22216
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
You can use nested X server nxagent instead of xpra, it is way faster for local setups.
nxagent
provides a seamless mode for single apps, too. It is a bit itchy to set it up in seamless mode and without clipboard and with its own Xauthority cookie. You can use x11docker for easy usage:
x11docker --nxagent --exe -- yourapplication
or short:
x11docker -ne yourapplication
To run as another user:
sudo x11docker --user someuser -ne -- yourapplication
To allow clipboard sharing, add x11docker option --clipboard
. nxagent allows it per default, but x11docker disables it unless specified.
If you need hardware acceleration, install xpra
, Xwayland
,weston
and xdotool
and run
sudo x11docker --user someuser --xpra-xwayland --exe -- yourapplication
Setup with nxagent only and without a cookie for clients:
echo "nx/nx,clipboard=none:25" >/tmp/nxoptions
nxagent :25 -R -nolisten tcp -options /tmp/nxoptions
sudo -u someuser env DISPLAY=:25 yourapplication
This works with US keyboard only. To get another keyboard layout, change /tmp/nxoptions
. For german keyboard layout:
echo "nx/nx,clipboard=none,keyboard=evdev/de:25" >/tmp/nxoptions
Another possibility is to use Xephyr as nested X server. But it does not provide a seamless mode.
Xephyr :10
sudo -u someuser env DISPLAY=:10 openbox # provide a window manager
sudo -u someuser env DISPLAY=:10 someapplication
For hardware acceleration with Xephyr you can use virtualgl
. (But may be a bit tricky with a different user as virtualgl/vglrun
needs access to display :0).
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
You can use nested X server nxagent instead of xpra, it is way faster for local setups.
nxagent
provides a seamless mode for single apps, too. It is a bit itchy to set it up in seamless mode and without clipboard and with its own Xauthority cookie. You can use x11docker for easy usage:
x11docker --nxagent --exe -- yourapplication
or short:
x11docker -ne yourapplication
To run as another user:
sudo x11docker --user someuser -ne -- yourapplication
To allow clipboard sharing, add x11docker option --clipboard
. nxagent allows it per default, but x11docker disables it unless specified.
If you need hardware acceleration, install xpra
, Xwayland
,weston
and xdotool
and run
sudo x11docker --user someuser --xpra-xwayland --exe -- yourapplication
Setup with nxagent only and without a cookie for clients:
echo "nx/nx,clipboard=none:25" >/tmp/nxoptions
nxagent :25 -R -nolisten tcp -options /tmp/nxoptions
sudo -u someuser env DISPLAY=:25 yourapplication
This works with US keyboard only. To get another keyboard layout, change /tmp/nxoptions
. For german keyboard layout:
echo "nx/nx,clipboard=none,keyboard=evdev/de:25" >/tmp/nxoptions
Another possibility is to use Xephyr as nested X server. But it does not provide a seamless mode.
Xephyr :10
sudo -u someuser env DISPLAY=:10 openbox # provide a window manager
sudo -u someuser env DISPLAY=:10 someapplication
For hardware acceleration with Xephyr you can use virtualgl
. (But may be a bit tricky with a different user as virtualgl/vglrun
needs access to display :0).
add a comment |Â
up vote
1
down vote
You can use nested X server nxagent instead of xpra, it is way faster for local setups.
nxagent
provides a seamless mode for single apps, too. It is a bit itchy to set it up in seamless mode and without clipboard and with its own Xauthority cookie. You can use x11docker for easy usage:
x11docker --nxagent --exe -- yourapplication
or short:
x11docker -ne yourapplication
To run as another user:
sudo x11docker --user someuser -ne -- yourapplication
To allow clipboard sharing, add x11docker option --clipboard
. nxagent allows it per default, but x11docker disables it unless specified.
If you need hardware acceleration, install xpra
, Xwayland
,weston
and xdotool
and run
sudo x11docker --user someuser --xpra-xwayland --exe -- yourapplication
Setup with nxagent only and without a cookie for clients:
echo "nx/nx,clipboard=none:25" >/tmp/nxoptions
nxagent :25 -R -nolisten tcp -options /tmp/nxoptions
sudo -u someuser env DISPLAY=:25 yourapplication
This works with US keyboard only. To get another keyboard layout, change /tmp/nxoptions
. For german keyboard layout:
echo "nx/nx,clipboard=none,keyboard=evdev/de:25" >/tmp/nxoptions
Another possibility is to use Xephyr as nested X server. But it does not provide a seamless mode.
Xephyr :10
sudo -u someuser env DISPLAY=:10 openbox # provide a window manager
sudo -u someuser env DISPLAY=:10 someapplication
For hardware acceleration with Xephyr you can use virtualgl
. (But may be a bit tricky with a different user as virtualgl/vglrun
needs access to display :0).
add a comment |Â
up vote
1
down vote
up vote
1
down vote
You can use nested X server nxagent instead of xpra, it is way faster for local setups.
nxagent
provides a seamless mode for single apps, too. It is a bit itchy to set it up in seamless mode and without clipboard and with its own Xauthority cookie. You can use x11docker for easy usage:
x11docker --nxagent --exe -- yourapplication
or short:
x11docker -ne yourapplication
To run as another user:
sudo x11docker --user someuser -ne -- yourapplication
To allow clipboard sharing, add x11docker option --clipboard
. nxagent allows it per default, but x11docker disables it unless specified.
If you need hardware acceleration, install xpra
, Xwayland
,weston
and xdotool
and run
sudo x11docker --user someuser --xpra-xwayland --exe -- yourapplication
Setup with nxagent only and without a cookie for clients:
echo "nx/nx,clipboard=none:25" >/tmp/nxoptions
nxagent :25 -R -nolisten tcp -options /tmp/nxoptions
sudo -u someuser env DISPLAY=:25 yourapplication
This works with US keyboard only. To get another keyboard layout, change /tmp/nxoptions
. For german keyboard layout:
echo "nx/nx,clipboard=none,keyboard=evdev/de:25" >/tmp/nxoptions
Another possibility is to use Xephyr as nested X server. But it does not provide a seamless mode.
Xephyr :10
sudo -u someuser env DISPLAY=:10 openbox # provide a window manager
sudo -u someuser env DISPLAY=:10 someapplication
For hardware acceleration with Xephyr you can use virtualgl
. (But may be a bit tricky with a different user as virtualgl/vglrun
needs access to display :0).
You can use nested X server nxagent instead of xpra, it is way faster for local setups.
nxagent
provides a seamless mode for single apps, too. It is a bit itchy to set it up in seamless mode and without clipboard and with its own Xauthority cookie. You can use x11docker for easy usage:
x11docker --nxagent --exe -- yourapplication
or short:
x11docker -ne yourapplication
To run as another user:
sudo x11docker --user someuser -ne -- yourapplication
To allow clipboard sharing, add x11docker option --clipboard
. nxagent allows it per default, but x11docker disables it unless specified.
If you need hardware acceleration, install xpra
, Xwayland
,weston
and xdotool
and run
sudo x11docker --user someuser --xpra-xwayland --exe -- yourapplication
Setup with nxagent only and without a cookie for clients:
echo "nx/nx,clipboard=none:25" >/tmp/nxoptions
nxagent :25 -R -nolisten tcp -options /tmp/nxoptions
sudo -u someuser env DISPLAY=:25 yourapplication
This works with US keyboard only. To get another keyboard layout, change /tmp/nxoptions
. For german keyboard layout:
echo "nx/nx,clipboard=none,keyboard=evdev/de:25" >/tmp/nxoptions
Another possibility is to use Xephyr as nested X server. But it does not provide a seamless mode.
Xephyr :10
sudo -u someuser env DISPLAY=:10 openbox # provide a window manager
sudo -u someuser env DISPLAY=:10 someapplication
For hardware acceleration with Xephyr you can use virtualgl
. (But may be a bit tricky with a different user as virtualgl/vglrun
needs access to display :0).
edited Feb 3 at 3:06
answered Feb 2 at 20:33
mviereck
1,1171410
1,1171410
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f421184%2frestrict-clipboard-for-untrusted-x11-clients%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password