8

X has some serious security problems, not the least of which is that any program using a given display can log keystrokes from any other program on that display. (This can be demonstrated easily using xinput.)

Is there any way to mitigate this within a single X display, without losing essential things like shared clipboard support?

e.g. would it be possible for a window manager to intercept all keystrokes, and pass them on only to the program owning the currently selected window?

Also, is there at least any way to prevent programs from sending sequences of keystrokes to each other? As things are by default on almost all Linux distributions, a compromised program running in my account could send 'rm -rf /\n' to a shell prompt running as root.

I know Linux has mandatory access control frameworks aplenty, but for purposes of spying on a user, those are all AFAIK rendered moot by X having insecure design from day one. What steps can be taken to reduce this hazard?

DanL4096
  • 307
  • 1
  • 2
  • 9
  • 1
    I am not sure if the following question can help you but you might want to read it http://unix.stackexchange.com/questions/101697/does-this-threat-still-exist-linux-keylogger-without-root-privileges – Ulkoma Aug 19 '14 at 22:35
  • 2
    Hmm. Calling this "authorized behavior" as in the response there is IMO just glossing over the problem, i.e. that X11 blows a gigantic hole in any mandatory access control setup, by letting graphical programs intercept and spoof each other's input. The whole point of MAC is to avoid such things. – DanL4096 Aug 20 '14 at 13:02
  • I assume "use Wayland, and ditch X11 apps" is out of the question? – forest Apr 07 '16 at 23:14

1 Answers1

1

There are some work being done in this direction. Some links/ideas that could help you:

The OS qubes [1] tries to fix it, using domains and in each isolated domain, you have a dummy X. It supports clipboard.

Others solutions[2] are being proposed to solve it.. however I don't know how it supports clipboard.

SELinux sandboxes[3] could be used as well. It very similar with OS qubes, but the main difference is that it uses the kernel to enforce isolation. Qubes uses XEN. First time that I tested, I wasn't able to copy and paste, but searching again, looks like it was fixed

References

[1] https://www.qubes-os.org/doc/copy-paste/

[2] https://wiki.gnome.org/Projects/SandboxedApps

[3] https://www.linux.com/learn/tutorials/382226-run-applications-in-secure-sandboxes-with-selinux

VP.
  • 1,043
  • 1
  • 11
  • 12
  • 2
    There are also custom solutions similar to the SELinux solutions, where you can use either Xephyr or xpra and your own favorite flavor of MAC. Also, you might want to add Subgraph to your list, which does graphical isolation using xpra. – forest Apr 07 '16 at 23:14