Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes

From: Jan Beich <>
Date: Sat, 06 Apr 2024 10:01:54 UTC
Emmanuel Vadot <> writes:

> On Thu, 04 Apr 2024 15:48:55 +0200
> Jan Beich <> wrote:
>> Emmanuel Vadot <> writes:
>> >> but also introduced a number of regressions that
>> >> don't exist in my port, all of which were documented in my reviews.
>> >
>> >  What regressions ? I'm using xwayland for more than a year on my
>> > desktop instead of -devel and haven't seen a problem.
>> Try diff xwayland{,-devel}/Makefile:
>> - Missing XSECURITY (ssh -X vs. ssh -Y; xorg-server parity per bug 221984)
>  I admit that I'm a bit lost on this one, I did some test and here is
> what I found :
>  - Using sway and xwayland (so without xcsecurity enabled) I can't ssh
> -X to a xorg host and run applications (DISPLAY is not set), but I can
> ssh -Y fine

Works fine here:

  # Prepare by removing existing permissions
  $ rm ~/.Xauthority
  $ ssh test@jail rm \~/.Xauthority

  # x11-servers/xwayland-devel
  $ ssh -X test@jail xeyes
  /usr/local/bin/xauth:  file /home/test/.Xauthority does not exist
  Xlib:  extension "XInputExtension" missing on display "localhost:10.0".

  # x11-servers/xwayland
  $ ssh -X test@jail xeyes
  Warning: untrusted X11 forwarding setup failed: xauth key data not generated
  Error: Can't open display:

Alternatively, SECURITY extension can be tested locally:

  $ xauth generate $DISPLAY . untrusted && xeyes
  xauth:  file /home/jbeich/.Xauthority does not exist
  Xlib:  extension "XInputExtension" missing on display ":0".

Curiously, wlroots starts Xwayland without -auth argument unlike others.

>  So what I did next was to recompile xorg-server with xcsecurity
> set to false. And to my surprise ssh -X from a xorg host to the one
> with the modified xorg-server still worked.

Did you run the modified xorg-server locally? ssh -X doesn't use
xorg-server on the remote host, where sshd server is running.

>  xcsecurity is disabled by default in xorg-server upstream (in meson)
> and I think that we should do the same (granted that XACE works
> correctly).

  # X-ACE extension: provides hooks for building security policy extensions
  # like XC-Security, X-SELinux & XTSol

X-SELinux is Linux-only. XTSol is Solaris-only. Everyone else is left
with the legacy XC-Security (trusted/untrusted) or nothing.