[1568] in linux-security and linux-alert archive
[linux-security] Re: How to protect X sessions?
daemon@ATHENA.MIT.EDU (Timo Felbinger)
Tue Jun 3 07:25:01 1997
Date: Mon, 2 Jun 1997 09:41:43 +0200 (MET DST)
From: Timo Felbinger <felbing@pandora.physik.uni-konstanz.de>
Reply-To: Timo.Felbinger@uni-konstanz.de
To: linux-security@redhat.com
In-Reply-To: <199706011841.OAA12616@mail.clark.net>
Resent-From: linux-security@redhat.com
Hello,
there were several answers to my request pointing in the same
direction (suggesting to use xhost or magic cookie authentication),
similar to the following:
On Sun, 1 Jun 1997, Peter W wrote:
> Doesn't "xdm" take care of all that? E.G. If I log in to the
> console as root and "startx": Toggle to Virtual Console 2, log in as
> joeblow, set $DISPLAY, and I can put an xclock on the X display.
> But if I run xdm first, then toggle to X (VC-7) and log in through
> xdm, joeblow on VC-2 can't connect to the X Server, or so the error
> message says.
This is correct but misses my point:
The problem is, whenever you have two applications running on the same
desktop, either of them can eavesdrop on all keyboard input destined
for the other one. This does not depend on the accounts these
applications are running under, and it does not depend on the
authentication scheme in use (xhost or cookies or whatever) either:
the mere fact that an application runs on your desktop implies that it
is authorized to connect to the server, and this alone is all it needs
to listen to all input.
A nice way to demonstrate this is a little program called xkey,
available e.g. from
http://www.users.interport.net/~reptile/linux/
Get it, and run it in a xterm (under whatever account you like, and
using whatever authentication scheme you prefer). Then open up a
second xterm on the same desktop (again, under whatever account you
like, and using whatever authentication scheme you prefer), and su
root in the second xterm.
As usual, you won't see your root password in the second xterm while
you type it. However, xkey running in the first xterm faithfully
records _all_ your input, including the password, and prints it out,
loud and clear.
[mod: That is why xterm has the "secure keyboard" option as the first
item on the control-left-mouse menu. You're supposed to activate this
before typing passwords. -- REW]
Now imagine you are not running xkey in the first window, but some
strange browser called Fooscape from Picosoft corporation, allowing
you to run small programs called applets from remote servers by just
clicking on a link (just as an example of a potentially unsecure
application; there are many more, of course).
On day you start such an applet which looks like yet another mine
sweeper clone; in the background, however, it launches something
similar to xkey, but of course it will not print your input to the
screen, but instead mails it back to the server you got it from, or
just writes to a file accessible via public ftp.
Regards,
Timo Felbinger