25

I'm new to X11 and want to understand if it is really as dangerous as they say on the Internet.

I will explain how I understand this. Any application launched from under the current user has access to the keyboard, mouse, display (e.g. taking a screenshot), and this is not good. But, if we install programs from the official repository (for example, for Debian), which are unlikely to contain keyloggers, etc., then the danger seems exaggerated. Am I wrong?

Yes, you can open applications on separate servers (for example, Xephyr), but this is inconvenient, since there is no shared clipboard. Creating a clipboard based on tmp files is also inconvenient.

D.W.
  • 4,070
Dstart
  • 445
  • @mosvy X11 is also not Linux (and the OP mentions Debian). And a display is not a screen-shot. – ctrl-alt-delor Mar 22 '20 at 15:19
  • @ctrl-alt-delor X11 works on Linux (does not depend on the GNU userland), and you can take a screenshot of an X11 display (eg. with xwd -root). –  Mar 22 '20 at 15:21
  • OK I have put some clarity around screen-shot. I now realise what the OP was trying to say about it. And I have removed Linux, as you are correct, it is not relevant X11 does not depend on it. – ctrl-alt-delor Mar 22 '20 at 15:25
  • 29
    Ob. xkcd: https://xkcd.com/2044/ – Eric Towers Mar 22 '20 at 23:37
  • 18
    Who calls it dangerous on the internet? Links! – curiousdannii Mar 23 '20 at 00:40
  • X11 has been around since 1989(?) when it replaced X10. It's pretty battle-tested. The security model has limitations, but the X11 sky has not fallen. – Kaz Mar 23 '20 at 23:47
  • Why are you more concerned about programs using X11 to get data from other programs than programs reading other programs data from disk? When you run an untrusted program, it can do a lot of harm even without using X11 APIs. In addition you could ask the question at https://security.stackexchange.com as well, they may know even more security details about X11. – allo Mar 24 '20 at 16:39
  • What's more dangerous, something that allows you to do useful things, but which can potentially be misused, or a different thing that is so damned "secure" that you can't do anything but run a very few trusted applications? You do need to realize that X was developed under the assumption that many users would be writing their own programs, and that this is still often the case. – jamesqf Mar 24 '20 at 17:18
  • @allo, because I use sandboxes (for example, Firejail), in which for each program I restrict access to the disk. I already asked the same question at https://security.stackexchange.com/questions/227646/is-x11-dangerous. – Dstart Mar 25 '20 at 04:08
  • @Dstart Firejail already suggests to use xpra for this reason. See https://firejail.wordpress.com/documentation-2/x11-guide/. Xpra also allows for a shared clipboard. – allo Mar 26 '20 at 09:35
  • @allo, yes, I already tried Xpra, but unlike Xephyr, it slows down the computer. I could not determine the reason, so I decided to choose Xephyr – Dstart Mar 26 '20 at 12:11
  • Dangerous as hell! I had an old girlfriend who lost two fingers to the first knuckle on X11. – gnicko Mar 26 '20 at 17:32

2 Answers2

43

Any application launched from under the current user has access to the keyboard, mouse, display (e.g. taking a screenshot), and this is not good.

All the X11 clients on a desktop can access each other in depth, including getting the content of any window, changing it, closing any window, faking key and mouse events to any other client, grabbing any input device, etc.

The X11 protocol design is based on the idea that the clients are all TRUSTED and will collaborate, not step on each other's toes (the latter completely broken by modern apps like Firefox, Chrome or Java).

BUT, if we install programs from the official repository (for example, for Debian), which are unlikely to contain keyloggers, etc., then the danger problem is clearly exaggerated. Am I wrong?

Programs have bugs, which may be exploited. The X11 server and libraries may not be up-to-date. For instance, any X11 client can crash the X server in the current version of Debian (Buster 10) via innocuous Xkb requests. (That was fixed in the upstream sources, but didn't make it yet in Debian). If it's able to crash it, then there's some probability that it's also able to execute code with the privileges of the X11 server (access to hardware, etc).

For the problems with the lax authentication in Xwayland (and the regular Xorg Xserver in Debian), see the notes of the end of this answer.

Yes, you can open applications on separate servers (for example, Xephyr), but this is inconvenient, since there is no shared clipboard. Creating a clipboard based on tmp files is also inconvenient.

Notice that unless you take extra steps, Xephyr allows any local user to connect to it by default. See this for a discussion about it.

Creating a shared clipboard between multiple X11 servers is an interesting problem, which deserves its own Q&A, rather than mixed with this.

  • Thank you! Yes, I already know that Xephyr by default allows any local user to connect to it, but since I use the Firejail sandbox, the authorization procedure happens by default there. – Dstart Mar 22 '20 at 17:54
  • 12
    Just curious, what’s specifically bad about Java in this context? – Stephen Kitt Mar 22 '20 at 18:54
  • 16
    @StephenKitt Java apps (swing) steal the focus upon starting, which means that they completely break any focus-follows-mouse model, unless treated specially. Just like Firefox, java apps need special assistance from the window manager, otherwise drop-down menus won't open, entry boxes won't focus, etc. I don't know if that's still the case, but java was assuming that a window manager is reparenting, unless it was named "LG3D" or similar (java library had a select list of non-parenting WMs, and all the other non-reparenting WMs had to lie about their name ;-)). –  Mar 23 '20 at 02:44
  • 4
    @mosvy that's still the case, at least for openjdk. E.g. in xmonad, you have to configure "LG3D" as window manager-name. Otherwise java-applications with a gui won't work. –  Mar 23 '20 at 03:09
  • 1
    Ah right @mosvy, thanks for the clarification; that’s the awful “inset” handling baked into AWT imported from Win32 (!). (I use sloppy focus, but I leave the Java applications I use open most of the time so they only get one chance to steal it.) – Stephen Kitt Mar 23 '20 at 10:11
  • 1
    I remember Java (and Wine) having plenty of issues, but I didn't know Firefox also needed special accomodations – is that a recent thing, or was it already "bad" in the Netscape era? – u1686_grawity Mar 23 '20 at 10:15
  • 2
    @mosvy Java apps (swing) steal the focus upon starting If that makes something a security concern, half the applications coded for Windows are insecure [insert your own joke here]. Somebody needs to take a three-weeks-dead, fully rotten mackerel and use it to slap the UX clowns who insist their app is "special" and MUST steal focus on startup. – Andrew Henle Mar 23 '20 at 13:45
  • @user1686 Firefox does need a WM, and a WM which does more than ICCCM and EWMH require from it. To verify my claim, start a separate X11 server (eg. with Xorg :7) and then run firefox on it firefox --display=:7 --new-instance -P someprofile. The try to enter something in the address bar: the suggestions drop-down list will open and then close immediately. Or press Alt to show the menubar, and click on an entry. Or click on the hamburger menu, etc. –  Mar 23 '20 at 17:53
  • @AndrewHenle or some kinda Finnish delicacy. – Will Crawford Mar 24 '20 at 13:44
  • 4
    I can't find the source anymore, but I once read the reason why MS Office steals the focus is to prevent lots of support calls "I triple-clicked on Excel on my desktop because I don't have enough motor control to just double-click, and it didn't start" (because Excel is actually minimized because the 3rd click re-focused the desktop) and users don't know how to switch windows. So, focus stealing is actually intentional from the UX perspective. – Erlkoenig Mar 24 '20 at 13:46
9

Applications running on the same machine with the same user account can use the ptrace system call to modify each other's process memory, so X11 is not the most convenient attack surface here.

For applications you don't fully trust, you need to first run them with a different user ID (like Android does with applications from different vendors), and you can use the XSECURITY extension to generate an "untrusted" access token for the X server, with which the application's access to X11 is restricted:

  • no access to input events not directed at the own window
  • no access to the XTEST extension
  • no transparent windows

Input events in X11 have a Synthetic field that tells whether the input event was generated from an input device or sent from another program, and the receiving program decides what to do with synthetic events, for example xterm just ignores them. The XTEST extension allows generating non-Synthetic events from software for testing purposes, which is why untrusted clients are not allowed to use that extension.

Simon Richter
  • 4,469
  • I read somewhere i the past that untrusted is still not very secure. – akostadinov Mar 23 '20 at 21:03
  • Unfortunately, the untrusted mode is pretty broken, and it will cause many apps to malfunction. Especially the fact that it hides the RENDER extension (despite it continuing to work) trip many programs which call XRenderQueryExtension. –  Mar 24 '20 at 16:39
  • Yeah, a lot of modern programs weren't designed with security in mind -- they happily accept Synthetic events, and they require to be run with full privileges. – Simon Richter Mar 25 '20 at 08:50