On Thu, Jun 25, 2015 at 02:32:24PM -0500, Derek Martin wrote: > On Sun, Jun 21, 2015 at 03:18:03PM +0200, Bill Bogstad wrote: > > On Sun, Jun 21, 2015 at 1:10 PM, Jerry Feldman <[email protected]> wrote: > > > I'm curious though, how this other user account gains access to your > > X server. Allowing other user ids to write on your screen/capture > > key & mouse events seem to me to be a potential issue. > > Only if someone else can log in as that user. > > It's been my experience that I didn't need to fix display access, but > maybe it's because typically I'm switching to root. But if you need > to, it's not hard... just arcane. ... > xauth add myhost/unix:0 MIT-MAGIC-COOKIE-1 <cookie_value> > > Should now work fine, without allowing access to anyone else on the > box. Just tested it in my Ubuntu VM, closed WORKSFORME. ;-)
I figured Bill was concerned with an exploit owning firefox and being able to run arbitrary code as that user. Arbitrary code would include Xlib calls so they're home free. You'd need to give your unprivileged user untrusted access to the xserver to be safer. See xauth(1), the generate command and the untrusted argument to it. That brings the SECURITY extension into play, restricting their access to the XServer and limiting which X extensions can be used. Give it a try, but I'm not sure you'll be happy with the resulting behaviour of firefox or your ability to use the clipboard or selection. There's also something called XACE, but I couldn't make heads or tails of it. Sounds like SELinux in terms of complexity. On the memory topic, I tried dillo this morning again. VSZ around 4MB, but maybe not up to most of what you'd want to throw at it. It may be loading everything sequentially in a single thread too. Pretty slow bringing up pages compared to firefox (when not swapping). -- [email protected] SDF Public Access UNIX System - http://sdf.org _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
