Re: The importance of mutual authentication: Local Privilege Escalation in X11

["Demi M. Obenour" <demiobenour () gmail com>]

On 11/10/20 1:43 PM, Vladimir D. Seleznev wrote:
> > > This contravenes the ability to run X11 client from another user. The
> > > idea is that X11 server allows any clients with right credentials
> > > regardless of theirs processes UID or GID to connect to the server.
> > Indeed it does, and I mention cryptographic authentication mechanisms
> > below.  Instead of /tmp, /run/X11 would work just as well.  It is
> > the mutual authentication that matters.
> Do I understand you correctly: you propose to forbid running X11 clients
> which processes belong to another users? In that case it is a bad idea:
> I would like to run untrusted clients with special UIDs. Or if I
> understand you wrongly, please explain how client of other user can
> connect to the socket placed in /run/user/$UID with these strict access
> permissions 0700?

If you aren’t using the X Security Extension or the X Access
Control Extension, then X clients aren’t effectively isolated from
each other.  Therefore, connecting untrusted X clients to the desktop
session is a bad idea.

Under my proposal, you would still be able to run an X server with
cryptographic authentication, but it would be more secure than it
is today.  Depending on the display manager, you might need to run
your own X server.

Sincerely,

Demi

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description:

Attachment: OpenPGP_signature
Description: OpenPGP digital signature