On February 1, 2018 6:42:08 PM GMT+01:00, Dave C <qu...@dave-cohen.com> wrote: >Indeed, I stand corrected. This point could apply to a restrictive >firewall, but the VM would need to network with the local VM running >vncserver.
BTW, you could also pipe the network communication through qrexec. This could be more secure than restrictive firewall. >I can imagine opening a terminal in the VM running vncserver and the >window manager. Could attacker open a terminal in other vm that has >opened some application in that display? (Application that is not a >terminal, I mean. I do see how an attacker could use any application >shown in the display.) It depends on what application you mean. I can see how a webbrowser can be used as a gadget to open terminal and some other applications (e.g., Libreoffice) can be used to open webbrowser. (And maybe LibreOffice supports macros or something similar, so attacker does not need to browser/terminal. Also, a text editor like Geany can be abused for editing files like .bashrc. I am not sure about generic applications with no such option of saving files and opening them in some apps. I remember statements that X11 is not designed for isolation and some those statements look like this is possible generally by design. I was able to neither confirm nor deny it in a short time. Regards, Vít Šesták 'v6ak' Maybe top-posting is bad. However, quoting whole message (including quotes of quotes and quotes of quotes of quotes etc.) before your message is even worse. Please don't let others scroll extensively. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0254EE1B-EC02-453F-BC96-A9D7218CFBA9%40v6ak.com. For more options, visit https://groups.google.com/d/optout.