Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes

From: Emmanuel Vadot <manu_at_bidouilliste.com>
Date: Fri, 05 Apr 2024 08:41:11 UTC
On Thu, 04 Apr 2024 15:48:55 +0200
Jan Beich <jbeich@FreeBSD.org> wrote:

> Emmanuel Vadot <manu@bidouilliste.com> writes:
> 
> >> but also introduced a number of regressions that
> >> don't exist in my port, all of which were documented in my reviews.
> >
> >  What regressions ? I'm using xwayland for more than a year on my
> > desktop instead of -devel and haven't seen a problem.
> 
> Try diff xwayland{,-devel}/Makefile:
> - Missing XSECURITY (ssh -X vs. ssh -Y; xorg-server parity per bug 221984)

 I admit that I'm a bit lost on this one, I did some test and here is
what I found :

 - Using sway and xwayland (so without xcsecurity enabled) I can't ssh
-X to a xorg host and run applications (DISPLAY is not set), but I can
ssh -Y fine
 - If I enable xcsecurity for xwayland behavior is exactly the same
(i.e. -X doesn't work, -Y does).
 - I've confirmed that -X works from another xorg host

 So what I did next was to recompile xorg-server with xcsecurity
set to false. And to my surprise ssh -X from a xorg host to the one
with the modified xorg-server still worked.
 xcsecurity was added in 2018 via PR 221984 which states that it fixes
-X, and that doesn't seems to be the case, xcsecurity doesn't seems to
be related to X11 forwarding but something for grouping client so they
can't access to each other or something (see
https://www.x.org/wiki/Development/Documentation/Security/#index2h2 for
more info).
 xcsecurity is disabled by default in xorg-server upstream (in meson)
and I think that we should do the same (granted that XACE works
correctly).

 The TLDR is that this has nothing to do with X11 forwarding and that I
think that not enabling this option in xwayland (and in -devel too) is
a good thing, one of the benefit of wayland is to drop the old X11
crappy model.

> - Missing XDMCP (xorg-server parity, maybe used with rootful Xwayland and GUI login managers)

 I've lost 2 hours looking at xcsecurity so unless you can prove to me
that this option is good to have enabled (and explained what it does
exactly) I won't look into it for now.

> - Missing XTEST input emulation (XDG Portal API, required by GNOME, Plasma and maybe rootful Xwayland)
> - Missing CSD for rootful (mainly for GNOME, optional even if preferred elsewhere)

 I do agree that both should be enabled, bapt@ started a patch and I've
asked him to wait so I could have a look at XCSECURITY before.

> - Broken on DragonFly due to forcing -Dsha1 (already default after I've fixed upstream bug years ago)
> - Redundant -Dglamor, -Dipv6, -Dxkb_*, libEGL dependency

 Cheers,

-- 
Emmanuel Vadot <manu@bidouilliste.com> <manu@freebsd.org>