On Sunday, January 28, 2018 at 12:24:08 PM UTC-8, Vít Šesták wrote:
> On January 27, 2018 7:57:02 AM GMT+01:00, Dave C wrote:
> >* VMs that can't access the conference site (i.e. bluejeans.com) or
> >can't access the net at all
> 
> How can a VM without network access open a window in the X11 accessible from 
> network?

Indeed, I stand corrected.  This point could apply to a restrictive firewall, 
but the VM would need to network with the local VM running vncserver.

[snip]
> 
> >My approach lowers security while screensharing.  But the rest of the
> >time, not screensharing, the VMs are running with normal firewall
> >settings.
> 
> It is likely that a VM can infect any other of the VMs (or the screensharing 
> VM). There are multiple potential ways to do so:
> 
> a. Exploit some vulnerability in X11 protocol implementation.
> b. Open a terminal (if not already opened) and type a command. This is 
> possible, because any client can inject any input events to other client.

I can imagine opening a terminal in the VM running vncserver and the window 
manager.  Could attacker open a terminal in other vm that has opened some 
application in that display?  (Application that is not a terminal, I mean.  I 
do see how an attacker could use any application shown in the display.)

> c. Download some file using webbrowser and run/install it (e.g., using some 
> packaging system).
> d. I remember I have read that X11 effectively provides no isolation between 
> apps and I had an impression that any app can by design even run some code in 
> another client. However, don't take this point as verified unless you verify 
> it from some other source.

You make some great points.  Thanks.  I'm re-thinking my approach.

-Dave

> 
> Regards,
> Vít Šesták 'v6ak'
> 
> General note: Maybe top-posting is bad. However, quoting whole message 
> (including quotes of quotes and quotes of quotes of quotes etc.) before your 
> message is even worse. Please don't let others scroll extensively.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/777001bc-545b-419f-ab74-c1b160e1b48a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to