Re: [gentoo-user] Clickless screenshot...how?
On Sat, Jul 29, 2017 at 1:17 PM, Mart Raudseppwrote: > Ühel kenal päeval, L, 29.07.2017 kell 12:58, kirjutas R0b0t1: >> On Sat, Jul 29, 2017 at 11:17 AM, Mart Raudsepp >> wrote: >> > Ühel kenal päeval, L, 29.07.2017 kell 13:20, kirjutas tuxic@posteo. >> > de: >> > > The task is already accomplished :) with a mixture of WM-based >> > > hotkey definitions and a delayed commandline utility (main,scrot, >> > > imagemagick). >> > > Addtionally I dont think that my X11 uses framebuffer (not shure >> > > about that, though)... >> > >> > Those tools work by using an inherent X11 security hole by reading >> > out >> > the root window, it's not relevant to framebuffer in the kernel >> > sense. >> > >> > Note that you can't use a global shortcut key in X11 while a >> > typical >> > right click context menu is open, because these take a X11 grab and >> > even screen lock can't activate.. Then only the delay approach will >> > work (if desired then together with a shortcut if the shortcut key >> > is >> > hit before opening the context menu). Fortunately in this case you >> > only >> > wanted a dropdown in firefox, which isn't implemented like that. >> > This popup menu problem is solved with Wayland (most importantly >> > the >> > not screenlocking aspect of it), but so is the root window security >> > hole, so the compositor/WM needs to take the screenshot and tools >> > like >> > import/scrot won't work. >> > >> >> I'm not really sure it is fair to call that a security problem. It's >> intentional, and that is because there are plenty of things that need >> access to the whole desktop at once. E.g. automating anything that >> doesn't expose a development API or have an accessibility API can >> pretty much only be done by scraping the contents of the screen - >> these programs simply don't work in Wayland? That seems like a >> misfeature. > > I'm calling things as they are. > It is intentional only to the point of it not having been a concern > back in the 1980s during X11 protocol designing. > > Any program running under the user can see the whole contents of their > screen - not just their own; that's how these screenshotters work too, > but it's easy to think of more nefarious use cases. > > Any program running under the user can listen to all key events meant > for any other X application - that's how global shortcuts from random > daemons or whatnot work (instead of DE provided hooks). It is trivial > to write a key snooper. > This is true but they are shared resources. You can add some hoops to jump through but there will always be a shortcut that makes the security system irrelevant as long as there is a user sitting down in front of the computer running more than one process. > Now yes, this is local issues, so hopefully you are good on remote > access issues, but if not, it might be game over for your terminal > entered ssh passwords or whatever. There exist some mitigation > techniques in the form of some non-standard X modules and other means, > but they are usually not used and also can break such non-nefarious > tools that make use of these aspects. > Due to it being local (unless you for some reason enable TCP for X.org > or something...) you can probably not worry about it too much, but it > doesn't change the fact that they are security issues to the core of > X.org, carried over from the 1980s. > Again, you're baselessly calling these things security issues. That I can see the entire screen or receive all key events is simply necessary for a desktop to exist as people want to use it. You can add restrictions that might affect newly launched programs but can have more permissive settings configured for known programs, but this is getting close to something like SELinux, which already exists, and which people don't want to use because it is annoying. If this is a security problem then the fact that process isolation within a user ID pretty much does not exist is also a security problem and a far bigger one that makes anything you might want to do pointless. Any process running as you can just read and write /proc/ files or use ptrace to modify the state of another program you are running. I don't need to see all key events to get your password. Every process is effectively running as the most privileged process being run by the user who owns it. If you have a terminal open somewhere that has a root login I could eventually synthesize keystrokes to that process and run whatever I wanted to run. Do you want to avoid this? Congratulations, you've invented mandatory access control! > > To solve these things in Wayland, there are cross-desktop protocols > being specified to achieve these in a more arbitrated, correct and > secure manner. There is proper isolation between applications. > Do you have a link to this? How are they different from X's protocols? What about programs associated with the same Wayland session? A lot of potential "fixes" actually don't
Re: [gentoo-user] Clickless screenshot...how?
Ühel kenal päeval, L, 29.07.2017 kell 12:58, kirjutas R0b0t1: > On Sat, Jul 29, 2017 at 11:17 AM, Mart Raudsepp> wrote: > > Ühel kenal päeval, L, 29.07.2017 kell 13:20, kirjutas tuxic@posteo. > > de: > > > The task is already accomplished :) with a mixture of WM-based > > > hotkey definitions and a delayed commandline utility (main,scrot, > > > imagemagick). > > > Addtionally I dont think that my X11 uses framebuffer (not shure > > > about that, though)... > > > > Those tools work by using an inherent X11 security hole by reading > > out > > the root window, it's not relevant to framebuffer in the kernel > > sense. > > > > Note that you can't use a global shortcut key in X11 while a > > typical > > right click context menu is open, because these take a X11 grab and > > even screen lock can't activate.. Then only the delay approach will > > work (if desired then together with a shortcut if the shortcut key > > is > > hit before opening the context menu). Fortunately in this case you > > only > > wanted a dropdown in firefox, which isn't implemented like that. > > This popup menu problem is solved with Wayland (most importantly > > the > > not screenlocking aspect of it), but so is the root window security > > hole, so the compositor/WM needs to take the screenshot and tools > > like > > import/scrot won't work. > > > > I'm not really sure it is fair to call that a security problem. It's > intentional, and that is because there are plenty of things that need > access to the whole desktop at once. E.g. automating anything that > doesn't expose a development API or have an accessibility API can > pretty much only be done by scraping the contents of the screen - > these programs simply don't work in Wayland? That seems like a > misfeature. I'm calling things as they are. It is intentional only to the point of it not having been a concern back in the 1980s during X11 protocol designing. Any program running under the user can see the whole contents of their screen - not just their own; that's how these screenshotters work too, but it's easy to think of more nefarious use cases. Any program running under the user can listen to all key events meant for any other X application - that's how global shortcuts from random daemons or whatnot work (instead of DE provided hooks). It is trivial to write a key snooper. Now yes, this is local issues, so hopefully you are good on remote access issues, but if not, it might be game over for your terminal entered ssh passwords or whatever. There exist some mitigation techniques in the form of some non-standard X modules and other means, but they are usually not used and also can break such non-nefarious tools that make use of these aspects. Due to it being local (unless you for some reason enable TCP for X.org or something...) you can probably not worry about it too much, but it doesn't change the fact that they are security issues to the core of X.org, carried over from the 1980s. To solve these things in Wayland, there are cross-desktop protocols being specified to achieve these in a more arbitrated, correct and secure manner. There is proper isolation between applications.
Re: [gentoo-user] Clickless screenshot...how?
On Sat, Jul 29, 2017 at 11:17 AM, Mart Raudseppwrote: > Ühel kenal päeval, L, 29.07.2017 kell 13:20, kirjutas tu...@posteo.de: >> The task is already accomplished :) with a mixture of WM-based >> hotkey definitions and a delayed commandline utility (main,scrot, >> imagemagick). >> Addtionally I dont think that my X11 uses framebuffer (not shure >> about that, though)... > > Those tools work by using an inherent X11 security hole by reading out > the root window, it's not relevant to framebuffer in the kernel sense. > > Note that you can't use a global shortcut key in X11 while a typical > right click context menu is open, because these take a X11 grab and > even screen lock can't activate.. Then only the delay approach will > work (if desired then together with a shortcut if the shortcut key is > hit before opening the context menu). Fortunately in this case you only > wanted a dropdown in firefox, which isn't implemented like that. > This popup menu problem is solved with Wayland (most importantly the > not screenlocking aspect of it), but so is the root window security > hole, so the compositor/WM needs to take the screenshot and tools like > import/scrot won't work. > I'm not really sure it is fair to call that a security problem. It's intentional, and that is because there are plenty of things that need access to the whole desktop at once. E.g. automating anything that doesn't expose a development API or have an accessibility API can pretty much only be done by scraping the contents of the screen - these programs simply don't work in Wayland? That seems like a misfeature. R0b0t1.
Re: [gentoo-user] Clickless screenshot...how?
On Sat, Jul 29, 2017 at 3:58 AM,wrote: > Long blabla ... short question: > Is there any screenshooter available which can be fully > handled via *configurable* keyboad shortcuts? > Perhaps a bit much, but I recommend: https://github.com/baskerville/sxhkd https://github.com/naelstrof/maim The first one, a hotkey daemon, is redundant if you are using a desktop environment that provides one.
Re: [gentoo-user] Clickless screenshot...how?
Ühel kenal päeval, L, 29.07.2017 kell 13:20, kirjutas tu...@posteo.de: > The task is already accomplished :) with a mixture of WM-based > hotkey definitions and a delayed commandline utility (main,scrot, > imagemagick). > Addtionally I dont think that my X11 uses framebuffer (not shure > about that, though)... Those tools work by using an inherent X11 security hole by reading out the root window, it's not relevant to framebuffer in the kernel sense. Note that you can't use a global shortcut key in X11 while a typical right click context menu is open, because these take a X11 grab and even screen lock can't activate.. Then only the delay approach will work (if desired then together with a shortcut if the shortcut key is hit before opening the context menu). Fortunately in this case you only wanted a dropdown in firefox, which isn't implemented like that. This popup menu problem is solved with Wayland (most importantly the not screenlocking aspect of it), but so is the root window security hole, so the compositor/WM needs to take the screenshot and tools like import/scrot won't work.
Re: [gentoo-user] Clickless screenshot...how?
On 07/29 06:52, Bill Kenworthy wrote: > On 29/07/17 18:05, v...@ukr.net wrote: > > On Sat, 29 Jul 2017 10:58:50 +0200 > > tu...@posteo.de wrote: > > > >> Hi, > >> > >> to display tracking informations (abondomed delivery) to an oversea > >> seller I need to screenshot a dropdown menu. > > Can you access it via ssh? - you may be able to set it up and copy the > framebuffer to a raw image and convert it after. > > BillK' > Hi Bill, Thanks a lot for help! :) The task is already accomplished :) with a mixture of WM-based hotkey definitions and a delayed commandline utility (main,scrot, imagemagick). Addtionally I dont think that my X11 uses framebuffer (not shure about that, though)... Cheers Meino
Re: [gentoo-user] Clickless screenshot...how?
On 29/07/17 18:05, v...@ukr.net wrote: > On Sat, 29 Jul 2017 10:58:50 +0200 > tu...@posteo.de wrote: > >> Hi, >> >> to display tracking informations (abondomed delivery) to an oversea >> seller I need to screenshot a dropdown menu. Can you access it via ssh? - you may be able to set it up and copy the framebuffer to a raw image and convert it after. BillK'
Re: [gentoo-user] Clickless screenshot...how?
On 07/29 01:05, v...@ukr.net wrote: > On Sat, 29 Jul 2017 10:58:50 +0200 > tu...@posteo.de wrote: > > > Hi, > > > > to display tracking informations (abondomed delivery) to an oversea > > seller I need to screenshot a dropdown menu. > > Unfortunately this dropdown menu only drops down when touched with > > the mouse pointer. > > This in turn prohibis any other action with the mourse (changeing > > the window for example). The only chance I see is hitting any > > magical key combo, which is not part of firefox shortcut. > > > > Long blabla ... short question: > > Is there any screenshooter available which can be fully > > handled via *configurable* keyboad shortcuts? > > > I can suggest a somewhat different approach. You may execute this > command in the terminal (requires ImageMagick, which is rather > ubiquitous): > > sleep 3 && import -window root output.png > > which will grab the entire screen after 3 seconds and save the image > into 'output.png'. This way you can open any menu and choose any > element of the menu _before_ the 'import' command gets executed. > > You could also play with parameters a bit. For example, you could > extend the waiting time if you need. You could also redirect the output > to the 'display' command (also from ImageMagick) in order to check the > screenshot out before saving it to file (it is possible to save file > from the 'display''s menu): > > sleep 3 && import -window root - | display > > So, this is not exactly what you asked (no control via hotkeys), > however, the task of assigning the hotkeys may be solved separately. > For example, the XFCE and JWM desktops (as well as virtually any > desktop environment out there) let one assign the custom hotkeys for > any commands. So it is easy to link the commands I suggested above to > any hotkeys you want. I use it in JWM a lot. > > I hope, my suggestion is useful. > Regards, > Vladimir > > - >> Hi Vladimir, thanks for suggestions! :) Yes...in this case the task to accomplish is more important, than the way to do it! :) I didn't know, that even imagemagick is able to shoot screens. ;) My "dream" of a screenshot generator would be something of the features and functionality of "Greenshot" -- unfortunately it is windows only -- and I dont want windows. Cheers Meino
Re: [gentoo-user] Clickless screenshot...how?
On Sat, 29 Jul 2017 10:58:50 +0200 tu...@posteo.de wrote: > Hi, > > to display tracking informations (abondomed delivery) to an oversea > seller I need to screenshot a dropdown menu. > Unfortunately this dropdown menu only drops down when touched with > the mouse pointer. > This in turn prohibis any other action with the mourse (changeing > the window for example). The only chance I see is hitting any > magical key combo, which is not part of firefox shortcut. > > Long blabla ... short question: > Is there any screenshooter available which can be fully > handled via *configurable* keyboad shortcuts? > I can suggest a somewhat different approach. You may execute this command in the terminal (requires ImageMagick, which is rather ubiquitous): sleep 3 && import -window root output.png which will grab the entire screen after 3 seconds and save the image into 'output.png'. This way you can open any menu and choose any element of the menu _before_ the 'import' command gets executed. You could also play with parameters a bit. For example, you could extend the waiting time if you need. You could also redirect the output to the 'display' command (also from ImageMagick) in order to check the screenshot out before saving it to file (it is possible to save file from the 'display''s menu): sleep 3 && import -window root - | display So, this is not exactly what you asked (no control via hotkeys), however, the task of assigning the hotkeys may be solved separately. For example, the XFCE and JWM desktops (as well as virtually any desktop environment out there) let one assign the custom hotkeys for any commands. So it is easy to link the commands I suggested above to any hotkeys you want. I use it in JWM a lot. I hope, my suggestion is useful. Regards, Vladimir -
Re: [gentoo-user] Clickless screenshot...how?
On 07/29 11:09, Dan Johansson wrote: > On 29.07.2017 10:58, tu...@posteo.de wrote: > > to display tracking informations (abondomed delivery) to an oversea > > seller I need to screenshot a dropdown menu. > > Unfortunately this dropdown menu only drops down when touched with > > the mouse pointer. > > This in turn prohibis any other action with the mourse (changeing > > the window for example). The only chance I see is hitting any > > magical key combo, which is not part of firefox shortcut. > > > > Long blabla ... short question: > > Is there any screenshooter available which can be fully > > handled via *configurable* keyboad shortcuts? > > If you are running KDE and have kde-apps/spectacle (Screenshot capture > utility) installed, you can configure a delay before the capture - this > should give you enough time to pull down the drop down menu before the > screenshot is taken. > > -- > Dan Johansson > *** > This message is printed on 100% recycled electrons! > *** > Hi all, :) thanks for the input! ::)) I am running openbox -- I will look whether and - if - how to bind scrot to a key combo. Cheers Meino
Re: [gentoo-user] Clickless screenshot...how?
On 29.07.2017 10:58, tu...@posteo.de wrote: > to display tracking informations (abondomed delivery) to an oversea > seller I need to screenshot a dropdown menu. > Unfortunately this dropdown menu only drops down when touched with > the mouse pointer. > This in turn prohibis any other action with the mourse (changeing > the window for example). The only chance I see is hitting any > magical key combo, which is not part of firefox shortcut. > > Long blabla ... short question: > Is there any screenshooter available which can be fully > handled via *configurable* keyboad shortcuts? If you are running KDE and have kde-apps/spectacle (Screenshot capture utility) installed, you can configure a delay before the capture - this should give you enough time to pull down the drop down menu before the screenshot is taken. -- Dan Johansson *** This message is printed on 100% recycled electrons! ***
Re: [gentoo-user] Clickless screenshot...how?
this is fully depends on your WM. First of all, you can just bind scrot on any key combination your WM allow to. Second of all, say, KDE's Spectacle can be used to take screenshot by timeout. So, you set timeout, press "take screenshot", it hides it's window, you open your popup menu, wait for timeout, and get a screenshot containing your popup menu without pressing any hotkeys ;) signature.asc Description: This is a digitally signed message part.