is it possible to "break out" of Xephyr
Christoph Anton Mitterer
calestyo at scientia.net
Mon Sep 17 15:38:06 PDT 2012
First, yes I know this may be considered a little bit off topic, given
that it's not about xorg development itself; but neither is it a normal
support question, I guess.
The background is OpenSSH bug #1926
(https://bugzilla.mindrot.org/show_bug.cgi?id=1926), in which I proposed
to allow using Xephyr for X-forwarding.
But the principle is not limited to SSH.
Many people don't want to do X-forwarding (especially from untrusted
systems) because of all kind of attacks the evil remote system could
Now my idea was, if all that were "confined" in a Xephyr session
(perhaps one per host connection, or perhaps even per executed command -
just as the users likes)... one could get kind of a "secure
So questions are:
1) Can I restrict X-forwardings to a specific X-server (i.e. the Xephyr
instance that should be used for it; and that is for example
automatically started by ssh)? How's that done best? (i.e. in the most
2) Is it possible to "break" out of a Xephyr?
Well of course I'm not talking about possibly hidden security holes, but
rather: Are there "intended" ways to break out?
3) How about resource sharing?
Are there things like shared memory between Xephyr and its host X?
Can Xephyr use hardware features like direct communication with the 3D
4) What (else) can one do to restrict Xephyr as much as possible? Or
more generally, what else should one to with respect to my idea in the
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5165 bytes
Desc: not available
More information about the xorg-devel