Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes

Reply: Jan Beich : "Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes"
In reply to: Jan Beich : "Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Emmanuel Vadot <manu_at_bidouilliste.com>
Date: Tue, 09 Apr 2024 07:44:02 UTC

On Sat, 06 Apr 2024 12:01:54 +0200
Jan Beich <jbeich@FreeBSD.org> wrote:

> Emmanuel Vadot <manu@bidouilliste.com> writes:
> 
> > On Thu, 04 Apr 2024 15:48:55 +0200
> > Jan Beich <jbeich@FreeBSD.org> wrote:
> >
> >> Emmanuel Vadot <manu@bidouilliste.com> writes:
> >> 
> >> >> but also introduced a number of regressions that
> >> >> don't exist in my port, all of which were documented in my reviews.
> >> >
> >> >  What regressions ? I'm using xwayland for more than a year on my
> >> > desktop instead of -devel and haven't seen a problem.
> >> 
> >> Try diff xwayland{,-devel}/Makefile:
> >> - Missing XSECURITY (ssh -X vs. ssh -Y; xorg-server parity per bug 221984)
> >
> >  I admit that I'm a bit lost on this one, I did some test and here is
> > what I found :
> >
> >  - Using sway and xwayland (so without xcsecurity enabled) I can't ssh
> > -X to a xorg host and run applications (DISPLAY is not set), but I can
> > ssh -Y fine
> 
> Works fine here:
> 
>   # Prepare by removing existing permissions
>   $ rm ~/.Xauthority
>   $ ssh test@jail rm \~/.Xauthority
> 
>   # x11-servers/xwayland-devel
>   $ ssh -X test@jail xeyes
>   /usr/local/bin/xauth:  file /home/test/.Xauthority does not exist
>   Xlib:  extension "XInputExtension" missing on display "localhost:10.0".
>   ^C
> 
>   # x11-servers/xwayland
>   $ ssh -X test@jail xeyes
>   Warning: untrusted X11 forwarding setup failed: xauth key data not generated
>   Error: Can't open display:
> 
> Alternatively, SECURITY extension can be tested locally:
> 
>   $ xauth generate $DISPLAY . untrusted && xeyes
>   xauth:  file /home/jbeich/.Xauthority does not exist
>   Xlib:  extension "XInputExtension" missing on display ":0".
>   ^C
> 
> Curiously, wlroots starts Xwayland without -auth argument unlike others.
> https://gitlab.gnome.org/GNOME/mutter/-/commit/a8984a81c2e8
> https://invent.kde.org/plasma/kwin/-/commit/335d9c41925d
> 
> >  So what I did next was to recompile xorg-server with xcsecurity
> > set to false. And to my surprise ssh -X from a xorg host to the one
> > with the modified xorg-server still worked.
> 
> Did you run the modified xorg-server locally? ssh -X doesn't use
> xorg-server on the remote host, where sshd server is running.
> 
> >  xcsecurity is disabled by default in xorg-server upstream (in meson)
> > and I think that we should do the same (granted that XACE works
> > correctly).
> 
> From https://gitlab.freedesktop.org/xorg/xserver/-/blob/c93c2e7718bc/Xext/Makefile.am#L58-59
>   # X-ACE extension: provides hooks for building security policy extensions
>   # like XC-Security, X-SELinux & XTSol
> 
> X-SELinux is Linux-only. XTSol is Solaris-only. Everyone else is left
> with the legacy XC-Security (trusted/untrusted) or nothing.

 No, We build with X-ACE currently and this isn't what the doc is
saying. It just says that X-ACE is somewhat what X-SELinux and XTSol is.
 In fact it seems that XCSECURITY imply X-ACE, I haven't looked
at the code but it's possible that the XCSECURITY code is using X-ACE
as the backend.

-- 
Emmanuel Vadot <manu@bidouilliste.com> <manu@freebsd.org>