Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes

Reply: Emmanuel Vadot : "Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes"
In reply to: Emmanuel Vadot : "Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Jan Beich <jbeich_at_FreeBSD.org>
Date: Sat, 06 Apr 2024 10:01:54 UTC

Emmanuel Vadot <manu@bidouilliste.com> writes:

> On Thu, 04 Apr 2024 15:48:55 +0200
> Jan Beich <jbeich@FreeBSD.org> wrote:
>
>> Emmanuel Vadot <manu@bidouilliste.com> writes:
>> 
>> >> but also introduced a number of regressions that
>> >> don't exist in my port, all of which were documented in my reviews.
>> >
>> >  What regressions ? I'm using xwayland for more than a year on my
>> > desktop instead of -devel and haven't seen a problem.
>> 
>> Try diff xwayland{,-devel}/Makefile:
>> - Missing XSECURITY (ssh -X vs. ssh -Y; xorg-server parity per bug 221984)
>
>  I admit that I'm a bit lost on this one, I did some test and here is
> what I found :
>
>  - Using sway and xwayland (so without xcsecurity enabled) I can't ssh
> -X to a xorg host and run applications (DISPLAY is not set), but I can
> ssh -Y fine

Works fine here:

  # Prepare by removing existing permissions
  $ rm ~/.Xauthority
  $ ssh test@jail rm \~/.Xauthority

  # x11-servers/xwayland-devel
  $ ssh -X test@jail xeyes
  /usr/local/bin/xauth:  file /home/test/.Xauthority does not exist
  Xlib:  extension "XInputExtension" missing on display "localhost:10.0".
  ^C

  # x11-servers/xwayland
  $ ssh -X test@jail xeyes
  Warning: untrusted X11 forwarding setup failed: xauth key data not generated
  Error: Can't open display:

Alternatively, SECURITY extension can be tested locally:

  $ xauth generate $DISPLAY . untrusted && xeyes
  xauth:  file /home/jbeich/.Xauthority does not exist
  Xlib:  extension "XInputExtension" missing on display ":0".
  ^C

Curiously, wlroots starts Xwayland without -auth argument unlike others.
https://gitlab.gnome.org/GNOME/mutter/-/commit/a8984a81c2e8
https://invent.kde.org/plasma/kwin/-/commit/335d9c41925d

>  So what I did next was to recompile xorg-server with xcsecurity
> set to false. And to my surprise ssh -X from a xorg host to the one
> with the modified xorg-server still worked.

Did you run the modified xorg-server locally? ssh -X doesn't use
xorg-server on the remote host, where sshd server is running.

>  xcsecurity is disabled by default in xorg-server upstream (in meson)
> and I think that we should do the same (granted that XACE works
> correctly).

From https://gitlab.freedesktop.org/xorg/xserver/-/blob/c93c2e7718bc/Xext/Makefile.am#L58-59
  # X-ACE extension: provides hooks for building security policy extensions
  # like XC-Security, X-SELinux & XTSol

X-SELinux is Linux-only. XTSol is Solaris-only. Everyone else is left
with the legacy XC-Security (trusted/untrusted) or nothing.