To be honest I can't say one way or another about weather there are security issues in X if one has malicious clients connected.
However I'm not having success discussing these matters over at [email protected]. I'm not the most likable person and I've even recently discovered that there a ppl who won't hesitate to pick on me. I can understand why ppl don't like me and that I have issues correctly expressing myself, even so I belive that what I'm trying to say is important. I believe that a discussion and perhaps further documentation on the security of X and more importantly the future security of X is overdue. For the purposes of this discussion I'd like to use a vary loose definition for malicious clients, to include any client running on a remote(from the X server) system. I believe that any system can be compromised and thus unknowingly be running a rootkit. There should be layers of security that would limit the effectiveness of such an attack. I belive doing so will cause Malicious Programmers and Users to be less likely to develop and deploy rootkits that have hooks into xclients to attack remote X servers. Therefore it's my assumption that a lack of security in this area would make the once Network Transparent Windows System, less useful over any network and promote the spread of any type of rootkit. This started after I read A LWN article about the [1]story of the XInput multitouch extension. It seams that this extension may leak sensitive information to malicious clients. 1. http://lwn.net/Articles/485484/ I wanted to discuss the issue with the grater X community, believing that what code to accept and reject as patches was indeed on-topic for [email protected] I [2]posted over there first. 2. http://lists.x.org/archives/xorg-devel/2012-June/031561.html I was eventually moderated and have lost my ability to speak in that forum. This alone tells me that I need to keep trying, there is obviously some form of oppression going on here as me myself have been oppressed. I though that even though this may be off-topic here that it would be of interest as I've often seen discussions here about matters of local user privilege escalations and although it may be a solution to not allow malicious users this removes a vital feature. In much the same way not allowing malicious clients on an X server also removes a vital feature. I wonder if there is anyone who believes this should be a priority? I can see why in the spirit of progress that either of these could be sacrificed, though unless done secretly there is bound to be some user resistance. My intent is to ensure that something like this never done behind even an accidental vial of secrecy, as has seemingly happened in this case. Thank you. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
