XFree86-xserv-4.3.0-47 copy/paste trouble and BadAtom.
Alexander Gottwald
Alexander.Gottwald@s1999.tu-chemnitz.de
Sun Feb 29 02:07:00 GMT 2004
Harold L Hunt II wrote:
> I was wondering if this change in behavior meant that our multi-window
> window manager would be unable to connect to the server when an ssh
> session had been opened on the local machine already. I did some
> testing but was not able to cause this to happen. In any case, my great
> ideas for what was causing this problem are useless :)
More explanation i got from http://www.xfree86.org/~herrb/security.pdf
Any "normal" xclient connects in trusted mode. But openssh now connects
in untrusted mode. This is for "security" reasons. I'll describe later
why I think it's useless.
In untrusted mode some calls (esp. GetProperty and SetProperty) will fail.
This can be configured in /usr/X11R6/lib/X11/xserver/SecurityPolicy.
<quote source="SecurityPolicy">
# Allow reading of application resources, but not writing.
property RESOURCE_MANAGER root ar iw
property SCREEN_RESOURCES root ar iw
# Ignore attempts to use cut buffers. Giving errors causes apps to crash,
# and allowing access may give away too much information.
property CUT_BUFFER0 root irw
property CUT_BUFFER1 root irw
</quote>
The CUT_BUFFER entries may explain why the problems with copy&paste started.
One way to solve the new problems is to modify the SecurityPolicy and
distribute it with the xserver. But this is complicated because
a) we have to figure out all properties which are safe to export
b) we may get responsible and sued for any security problem we create with
these changes.
The other way is to enable X11ForwardTrusted by default. But again it is
(in my opinion) "dangerous" to explicitly disable a security method.
But anyway. I think the change to untrusted clients is very shortminded.
Most users will get annoyed with not working software and skip the whole
X11Forwarding issue and use "xhost +" again. This is a severe loss of
security.
If a lot of software requires access to properties which are blocked in
untrusted mode then most people will enable the switch. Only a few will
ever want the clients to connect in untrusted mode.
bye
ago
NP: grauzone.04-02-15
--
Alexander.Gottwald@informatik.tu-chemnitz.de
http://www.gotti.org ICQ: 126018723
More information about the Cygwin-xfree
mailing list