If I want to use a GUI application with another user (example: webbrowser), I can copy the .Xauthority file to that given user's home then I can "su - user" and start the GUI app.
Question: but what security problems does this bring?
Asked
Active
Viewed 534 times
1 Answers
1
There is no isolation between GUI apps on X11, so that allows your user to spy on your clipboard's content, create windows that may look like spoofs of your own windows (e.g. spoofs of your polkit1 dialog or screen locker), record your entire monitor, implement a keylogger...
Just create a guest session, seriously. Or use a VM. I would not trust other technologies with guaranteeing isolation right now on X11. And I would not consider XACE a useful tool for the general public, because it's very low level, and very hard to distinguish between X11 internals and legitimate calls (not to mention some APIs like X11 selections get massively abused and are impossible to mediate in their current form).
If you can run Wayland already, then you could look up this post by GTK+/GNOME developer Alexander Larsson I haven't reviewed it though, but this is experimental, on-going work done by engineers who are brilliant but not necessarily trained security professionals. Use with caution.
You might also find my answer on Should I get an antivirus for Ubuntu? to be relevant.
Steve Dodier-Lazaro
- 6,798
- 29
- 45