Re: [gentoo-user] Clickless screenshot...how?

[R0b0t1]

On Sat, Jul 29, 2017 at 1:17 PM, Mart Raudsepp  wrote:
> Ühel kenal päeval, L, 29.07.2017 kell 12:58, kirjutas R0b0t1:
>> On Sat, Jul 29, 2017 at 11:17 AM, Mart Raudsepp 
>> wrote:
>> > Ühel kenal päeval, L, 29.07.2017 kell 13:20, kirjutas tuxic@posteo.
>> > de:
>> > > The task is already accomplished :) with a mixture of WM-based
>> > > hotkey definitions and a delayed commandline utility (main,scrot,
>> > > imagemagick).
>> > > Addtionally I dont think that my X11 uses framebuffer (not shure
>> > > about that, though)...
>> >
>> > Those tools work by using an inherent X11 security hole by reading
>> > out
>> > the root window, it's not relevant to framebuffer in the kernel
>> > sense.
>> >
>> > Note that you can't use a global shortcut key in X11 while a
>> > typical
>> > right click context menu is open, because these take a X11 grab and
>> > even screen lock can't activate.. Then only the delay approach will
>> > work (if desired then together with a shortcut if the shortcut key
>> > is
>> > hit before opening the context menu). Fortunately in this case you
>> > only
>> > wanted a dropdown in firefox, which isn't implemented like that.
>> > This popup menu problem is solved with Wayland (most importantly
>> > the
>> > not screenlocking aspect of it), but so is the root window security
>> > hole, so the compositor/WM needs to take the screenshot and tools
>> > like
>> > import/scrot won't work.
>> >
>>
>> I'm not really sure it is fair to call that a security problem. It's
>> intentional, and that is because there are plenty of things that need
>> access to the whole desktop at once. E.g. automating anything that
>> doesn't expose a development API or have an accessibility API can
>> pretty much only be done by scraping the contents of the screen -
>> these programs simply don't work in Wayland? That seems like a
>> misfeature.
>
> I'm calling things as they are.
> It is intentional only to the point of it not having been a concern
> back in the 1980s during X11 protocol designing.
>
> Any program running under the user can see the whole contents of their
> screen - not just their own; that's how these screenshotters work too,
> but it's easy to think of more nefarious use cases.
>
> Any program running under the user can listen to all key events meant
> for any other X application - that's how global shortcuts from random
> daemons or whatnot work (instead of DE provided hooks). It is trivial
> to write a key snooper.
>

This is true but they are shared resources. You can add some hoops to
jump through but there will always be a shortcut that makes the
security system irrelevant as long as there is a user sitting down in
front of the computer running more than one process.

> Now yes, this is local issues, so hopefully you are good on remote
> access issues, but if not, it might be game over for your terminal
> entered ssh passwords or whatever. There exist some mitigation
> techniques in the form of some non-standard X modules and other means,
> but they are usually not used and also can break such non-nefarious
> tools that make use of these aspects.
> Due to it being local (unless you for some reason enable TCP for X.org
> or something...) you can probably not worry about it too much, but it
> doesn't change the fact that they are security issues to the core of
> X.org, carried over from the 1980s.
>

Again, you're baselessly calling these things security issues. That I
can see the entire screen or receive all key events is simply
necessary for a desktop to exist as people want to use it. You can add
restrictions that might affect newly launched programs but can have
more permissive settings configured for known programs, but this is
getting close to something like SELinux, which already exists, and
which people don't want to use because it is annoying.

If this is a security problem then the fact that process isolation
within a user ID pretty much does not exist is also a security problem
and a far bigger one that makes anything you might want to do
pointless. Any process running as you can just read and write
/proc/ files or use ptrace to modify the state of another program
you are running. I don't need to see all key events to get your
password.

Every process is effectively running as the most privileged process
being run by the user who owns it. If you have a terminal open
somewhere that has a root login I could eventually synthesize
keystrokes to that process and run whatever I wanted to run. Do you
want to avoid this? Congratulations, you've invented mandatory access
control!

>
> To solve these things in Wayland, there are cross-desktop protocols
> being specified to achieve these in a more arbitrated, correct and
> secure manner. There is proper isolation between applications.
>

Do you have a link to this? How are they different from X's protocols?
What about programs associated with the same Wayland session? A lot of
potential "fixes" actually don't 

Re: [gentoo-user] Clickless screenshot...how?

[Mart Raudsepp]

Ühel kenal päeval, L, 29.07.2017 kell 12:58, kirjutas R0b0t1:
> On Sat, Jul 29, 2017 at 11:17 AM, Mart Raudsepp 
> wrote:
> > Ühel kenal päeval, L, 29.07.2017 kell 13:20, kirjutas tuxic@posteo.
> > de:
> > > The task is already accomplished :) with a mixture of WM-based
> > > hotkey definitions and a delayed commandline utility (main,scrot,
> > > imagemagick).
> > > Addtionally I dont think that my X11 uses framebuffer (not shure
> > > about that, though)...
> > 
> > Those tools work by using an inherent X11 security hole by reading
> > out
> > the root window, it's not relevant to framebuffer in the kernel
> > sense.
> > 
> > Note that you can't use a global shortcut key in X11 while a
> > typical
> > right click context menu is open, because these take a X11 grab and
> > even screen lock can't activate.. Then only the delay approach will
> > work (if desired then together with a shortcut if the shortcut key
> > is
> > hit before opening the context menu). Fortunately in this case you
> > only
> > wanted a dropdown in firefox, which isn't implemented like that.
> > This popup menu problem is solved with Wayland (most importantly
> > the
> > not screenlocking aspect of it), but so is the root window security
> > hole, so the compositor/WM needs to take the screenshot and tools
> > like
> > import/scrot won't work.
> > 
> 
> I'm not really sure it is fair to call that a security problem. It's
> intentional, and that is because there are plenty of things that need
> access to the whole desktop at once. E.g. automating anything that
> doesn't expose a development API or have an accessibility API can
> pretty much only be done by scraping the contents of the screen -
> these programs simply don't work in Wayland? That seems like a
> misfeature.

I'm calling things as they are.
It is intentional only to the point of it not having been a concern
back in the 1980s during X11 protocol designing.

Any program running under the user can see the whole contents of their
screen - not just their own; that's how these screenshotters work too,
but it's easy to think of more nefarious use cases.

Any program running under the user can listen to all key events meant
for any other X application - that's how global shortcuts from random
daemons or whatnot work (instead of DE provided hooks). It is trivial
to write a key snooper.

Now yes, this is local issues, so hopefully you are good on remote
access issues, but if not, it might be game over for your terminal
entered ssh passwords or whatever. There exist some mitigation
techniques in the form of some non-standard X modules and other means,
but they are usually not used and also can break such non-nefarious
tools that make use of these aspects.
Due to it being local (unless you for some reason enable TCP for X.org
or something...) you can probably not worry about it too much, but it
doesn't change the fact that they are security issues to the core of
X.org, carried over from the 1980s.


To solve these things in Wayland, there are cross-desktop protocols
being specified to achieve these in a more arbitrated, correct and
secure manner. There is proper isolation between applications.

Re: [gentoo-user] Clickless screenshot...how?

[R0b0t1]

On Sat, Jul 29, 2017 at 11:17 AM, Mart Raudsepp  wrote:
> Ühel kenal päeval, L, 29.07.2017 kell 13:20, kirjutas tu...@posteo.de:
>> The task is already accomplished :) with a mixture of WM-based
>> hotkey definitions and a delayed commandline utility (main,scrot,
>> imagemagick).
>> Addtionally I dont think that my X11 uses framebuffer (not shure
>> about that, though)...
>
> Those tools work by using an inherent X11 security hole by reading out
> the root window, it's not relevant to framebuffer in the kernel sense.
>
> Note that you can't use a global shortcut key in X11 while a typical
> right click context menu is open, because these take a X11 grab and
> even screen lock can't activate.. Then only the delay approach will
> work (if desired then together with a shortcut if the shortcut key is
> hit before opening the context menu). Fortunately in this case you only
> wanted a dropdown in firefox, which isn't implemented like that.
> This popup menu problem is solved with Wayland (most importantly the
> not screenlocking aspect of it), but so is the root window security
> hole, so the compositor/WM needs to take the screenshot and tools like
> import/scrot won't work.
>

I'm not really sure it is fair to call that a security problem. It's
intentional, and that is because there are plenty of things that need
access to the whole desktop at once. E.g. automating anything that
doesn't expose a development API or have an accessibility API can
pretty much only be done by scraping the contents of the screen -
these programs simply don't work in Wayland? That seems like a
misfeature.

R0b0t1.

Re: [gentoo-user] Clickless screenshot...how?

[R0b0t1]

On Sat, Jul 29, 2017 at 3:58 AM,   wrote:
> Long blabla ... short question:
> Is there any screenshooter available which can be fully
> handled via *configurable* keyboad shortcuts?
>

Perhaps a bit much, but I recommend:

https://github.com/baskerville/sxhkd
https://github.com/naelstrof/maim

The first one, a hotkey daemon, is redundant if you are using a
desktop environment that provides one.

Re: [gentoo-user] Clickless screenshot...how?

[Mart Raudsepp]

Ühel kenal päeval, L, 29.07.2017 kell 13:20, kirjutas tu...@posteo.de:
> The task is already accomplished :) with a mixture of WM-based
> hotkey definitions and a delayed commandline utility (main,scrot,
> imagemagick).
> Addtionally I dont think that my X11 uses framebuffer (not shure
> about that, though)...

Those tools work by using an inherent X11 security hole by reading out
the root window, it's not relevant to framebuffer in the kernel sense.

Note that you can't use a global shortcut key in X11 while a typical
right click context menu is open, because these take a X11 grab and
even screen lock can't activate.. Then only the delay approach will
work (if desired then together with a shortcut if the shortcut key is
hit before opening the context menu). Fortunately in this case you only
wanted a dropdown in firefox, which isn't implemented like that.
This popup menu problem is solved with Wayland (most importantly the
not screenlocking aspect of it), but so is the root window security
hole, so the compositor/WM needs to take the screenshot and tools like
import/scrot won't work.

Re: [gentoo-user] Clickless screenshot...how?

[tuxic]

On 07/29 06:52, Bill Kenworthy wrote:
> On 29/07/17 18:05, v...@ukr.net wrote:
> > On Sat, 29 Jul 2017 10:58:50 +0200
> > tu...@posteo.de wrote:
> > 
> >> Hi,
> >>
> >> to display tracking informations (abondomed delivery) to an oversea
> >> seller I need to screenshot a dropdown menu.
> 
> Can you access it via ssh? - you may be able to set it up and copy the
> framebuffer to a raw image and convert it after.
> 
> BillK'
> 

Hi Bill,

Thanks a lot for help! :)

The task is already accomplished :) with a mixture of WM-based
hotkey definitions and a delayed commandline utility (main,scrot,
imagemagick).
Addtionally I dont think that my X11 uses framebuffer (not shure
about that, though)...

Cheers
Meino

Re: [gentoo-user] Clickless screenshot...how?

[Bill Kenworthy]

On 29/07/17 18:05, v...@ukr.net wrote:
> On Sat, 29 Jul 2017 10:58:50 +0200
> tu...@posteo.de wrote:
> 
>> Hi,
>>
>> to display tracking informations (abondomed delivery) to an oversea
>> seller I need to screenshot a dropdown menu.

Can you access it via ssh? - you may be able to set it up and copy the
framebuffer to a raw image and convert it after.

BillK'

Re: [gentoo-user] Clickless screenshot...how?

[tuxic]

On 07/29 01:05, v...@ukr.net wrote:
> On Sat, 29 Jul 2017 10:58:50 +0200
> tu...@posteo.de wrote:
> 
> > Hi,
> > 
> > to display tracking informations (abondomed delivery) to an oversea
> > seller I need to screenshot a dropdown menu.
> > Unfortunately this dropdown menu only drops down when touched with 
> > the mouse pointer.
> > This in turn prohibis any other action with the mourse (changeing
> > the window for example). The only chance I see is hitting any
> > magical key combo, which is not part of firefox shortcut.
> > 
> > Long blabla ... short question:
> > Is there any screenshooter available which can be fully
> > handled via *configurable* keyboad shortcuts?
> > 
> I can suggest a somewhat different approach. You may execute this
> command in the terminal (requires ImageMagick, which is rather
> ubiquitous):
> 
> sleep 3 && import -window root output.png
> 
> which will grab the entire screen after 3 seconds and save the image
> into 'output.png'. This way you can open any menu and choose any
> element of the menu _before_ the 'import' command gets executed.
> 
> You could also play with parameters a bit. For example, you could
> extend the waiting time if you need. You could also redirect the output
> to the 'display' command (also from ImageMagick) in order to check the
> screenshot out before saving it to file (it is possible to save file
> from the 'display''s menu):
> 
> sleep 3 && import -window root - | display
> 
> So, this is not exactly what you asked (no control via hotkeys),
> however, the task of assigning the hotkeys may be solved separately.
> For example, the XFCE and JWM desktops (as well as virtually any
> desktop environment out there) let one assign the custom hotkeys for
> any commands. So it is easy to link the commands I suggested above to
> any hotkeys you want. I use it in JWM a lot.
> 
> I hope, my suggestion is useful.
> Regards,
> Vladimir
> 
> - 
>  
> 

Hi Vladimir,

thanks for suggestions! :)

Yes...in this case the task to accomplish is more important, than
the way to do it! :)

I didn't know, that even imagemagick is able to shoot screens. ;)

My "dream" of a screenshot generator would be something of the
features and functionality of "Greenshot" -- unfortunately it
is windows only -- and I dont want windows.


Cheers
Meino

Re: [gentoo-user] Clickless screenshot...how?

[v_2e]

On Sat, 29 Jul 2017 10:58:50 +0200
tu...@posteo.de wrote:

> Hi,
> 
> to display tracking informations (abondomed delivery) to an oversea
> seller I need to screenshot a dropdown menu.
> Unfortunately this dropdown menu only drops down when touched with 
> the mouse pointer.
> This in turn prohibis any other action with the mourse (changeing
> the window for example). The only chance I see is hitting any
> magical key combo, which is not part of firefox shortcut.
> 
> Long blabla ... short question:
> Is there any screenshooter available which can be fully
> handled via *configurable* keyboad shortcuts?
> 
I can suggest a somewhat different approach. You may execute this
command in the terminal (requires ImageMagick, which is rather
ubiquitous):

sleep 3 && import -window root output.png

which will grab the entire screen after 3 seconds and save the image
into 'output.png'. This way you can open any menu and choose any
element of the menu _before_ the 'import' command gets executed.

You could also play with parameters a bit. For example, you could
extend the waiting time if you need. You could also redirect the output
to the 'display' command (also from ImageMagick) in order to check the
screenshot out before saving it to file (it is possible to save file
from the 'display''s menu):

sleep 3 && import -window root - | display

So, this is not exactly what you asked (no control via hotkeys),
however, the task of assigning the hotkeys may be solved separately.
For example, the XFCE and JWM desktops (as well as virtually any
desktop environment out there) let one assign the custom hotkeys for
any commands. So it is easy to link the commands I suggested above to
any hotkeys you want. I use it in JWM a lot.

I hope, my suggestion is useful.
Regards,
Vladimir

- 
 

Re: [gentoo-user] Clickless screenshot...how?

[tuxic]

On 07/29 11:09, Dan Johansson wrote:
> On 29.07.2017 10:58, tu...@posteo.de wrote:
> > to display tracking informations (abondomed delivery) to an oversea
> > seller I need to screenshot a dropdown menu.
> > Unfortunately this dropdown menu only drops down when touched with 
> > the mouse pointer.
> > This in turn prohibis any other action with the mourse (changeing
> > the window for example). The only chance I see is hitting any
> > magical key combo, which is not part of firefox shortcut.
> > 
> > Long blabla ... short question:
> > Is there any screenshooter available which can be fully
> > handled via *configurable* keyboad shortcuts?
> 
> If you are running KDE and have kde-apps/spectacle (Screenshot capture
> utility) installed, you can configure a delay before the capture - this
> should give you enough time to pull down the drop down menu before the
> screenshot is taken.
> 
> -- 
> Dan Johansson
> ***
> This message is printed on 100% recycled electrons!
> ***
> 

Hi all, :)

thanks for the input! ::))

I am running openbox -- I will look whether and - if - how 
to bind scrot to a key combo.

Cheers
Meino

Re: [gentoo-user] Clickless screenshot...how?

[Dan Johansson]

On 29.07.2017 10:58, tu...@posteo.de wrote:
> to display tracking informations (abondomed delivery) to an oversea
> seller I need to screenshot a dropdown menu.
> Unfortunately this dropdown menu only drops down when touched with 
> the mouse pointer.
> This in turn prohibis any other action with the mourse (changeing
> the window for example). The only chance I see is hitting any
> magical key combo, which is not part of firefox shortcut.
> 
> Long blabla ... short question:
> Is there any screenshooter available which can be fully
> handled via *configurable* keyboad shortcuts?

If you are running KDE and have kde-apps/spectacle (Screenshot capture
utility) installed, you can configure a delay before the capture - this
should give you enough time to pull down the drop down menu before the
screenshot is taken.

-- 
Dan Johansson
***
This message is printed on 100% recycled electrons!
***

Re: [gentoo-user] Clickless screenshot...how?

[Vadim A. Misbakh-Soloviov]

this is fully depends on your WM.

First of all, you can just bind scrot on any key combination your WM allow to.

Second of all, say, KDE's Spectacle can be used to take screenshot by timeout. 
So, you set timeout, press "take screenshot", it hides it's window, you open 
your popup menu, wait for timeout, and get a screenshot containing your popup 
menu without pressing any hotkeys ;)

signature.asc
Description: This is a digitally signed message part.