X SECURITY: allowed extensions for untrusted clients

Uecker, Martin Martin.Uecker at med.uni-goettingen.de
Fri Oct 13 21:14:02 UTC 2017 

Hi Adam,

Am Mittwoch, den 11.10.2017, 14:57 -0400 schrieb Adam Jackson:
> On Fri, 2017-10-06 at 19:46 +0000, Uecker, Martin wrote:
> > Hi,
> > 
> > I would like to use untrusted connections for remote
> > clients. Currently this does not work for me, because it is
> > too slow, and I always have to use trusted connections.
> > 
> > So I wonder what it would take to expose some additional
> > extensions that are required for efficiency to untrusted
> > clients, in particular the RENDER extension?
> 
> The first step would be to add RENDER to the
> SecurityTrustedExtensions
> list. After that one might need to fix SecurityResource() or
> SecurityDoCheck() to allow untrusted client to do whatever they want
> to
> their own resources (this might already be the case but I haven't
> tried
> to understand that code in detail).

Yes, thank you.  In fact, I already tried this years ago,
and *if* I remember correctly, it did just work. The two
major questions I have are:

Would such a patch be accepted?

What are the security implications of this change? I would
assume that it does not create any fundamentally new risks,
but I am not really qualified to judge this. Is there
somebody who could help with this?

> I continue to maintain that interacting with an "untrusted" remote
> client is a weird thing to want: if you can't trust it to interact
> peacefully with other clients, how can you trust it to do what you
> expect when you type into it?

I may trust it to do some specific work, but not trust it enough
to give it complete access to my computer. One example is me using
the local HPC cluster which is maintained by a different
institution and shared many users (including many students).
As it is used by many different users, it has a much bigger
attack surface and is obviously much less secure than my
desktop. So if I log in to look at some results, I would
prefer to run this application as an untrusted client.

> But there's no intrinsic reason why
> RENDER couldn't be made to work for untrusted clients, in fact
> extending coverage to _all_ extensions should be pretty
> straightforward
> since the selinux work put hooks in all the right places.

The question is what security risks all the different extensions
may expose.

Martin

More information about the xorg-devel mailing list