Re: multiple simultaneous X sessions?
On Mon, 2020-08-24 at 12:38 -0300, Gleydson Soares wrote: > Hi Luke, > > On Mon, Aug 24, 2020 at 09:24:35AM -0600, Luke A. Call wrote: > > What would it take for me to run more than one simultanous X > > session, each > > as a different user? -- I tried once a few years ago, > > searching, reading > > man pages, and chasing error messages, and failed at the time. > > Is it known whether it is reasonably possible with the current > > code? > > > > (This is so I can take advantage of the privilege separation > > provided by the OS, while doing different activities and > > programs > > programs with different informal trust levels, as separate > > users, but without the cpu overhead of using "ssh -[X|Y] > > ...". This was > > my normal practice in my Debian days, switching among them > > with > > Ctrl-Alt-FN.) > > > > Either way, thanks much for any info. > > > > Luke Call > > Maybe you are looking for a nested X11 via Xephyr. > > See this script as example [1] > > [1] https://github.com/gleydsonsoares/xdroprun > That link is broken for me. It shows 404. Maybe the project was taken down or made private? --Aaron
Re: multiple simultaneous X sessions?
On 08-25 01:55, Eldritch wrote: > > Rather, I'm looking for a full separation between the users, > > nothing shared but the obsd kernel and hardware, and no more overhead for > > each one than X normally has, since each user is just running > > flat normal X, but fully and independently of the other X user. Am I > > mistaken in how I understand Xnest and Xephyr? > > It's possible to run multiple X servers. As far as I know all you would > have to do is add another line to /etc/X11/xenodm/Xservers and edit > /etc/ttys to not launch a tty on the console window you selected. > > Altough you don't really need multiple X servers for privilege > separation. ssh and vnc open an untrusted connection to the X server, > which you can do manually with xauth. > > I managed to get Firefox running as an untrusted client with the > following snippet in /etc/X11/xenodm/Xsetup_0: > > user=_firefox > auth=/home/$user/.Xauthority > umask 077 > xauth -f $auth generate :0 . untrusted timeout 0 > chown $user:$user $auth > chmod 0600 $auth > > And then starting it as the unprivileged _firefox user. Thank you! I need to spend some time trying your suggestions, including getting my mind around xauth usage, then testing it with things like xinput or xev, to make sure that, like with "ssh -X...", it prevents any user from getting keystrokes sent to apps which run as other users (though I realize ssh -X doesn't hide mouse events or prevent clipboard sharing, or some such IIRC), and that the total attack surface isn't much larger, etc. -- Luke Call "...I, the Lord, justify you...in befriending that law which is the constitutional law of the land Wherefore, when the wicked rule the people mourn. Wherefore, honest men and wise men should be sought for diligently, and good men and wise men ye should observe to uphold; ...whatsoever is less than these cometh of evil." (Doctrine & Covenants 98:6,9-10. >From 1833, when I think "men" often meant "persons". More at my site: >lukecall.net .) I think *honesty*, the Constitution and the rule of law (as opposed to of individuals), are far more important, relatively, than most or all policy issues, even important ones.
Re: multiple simultaneous X sessions?
Rather, I'm looking for a full separation between the users, nothing shared but the obsd kernel and hardware, and no more overhead for each one than X normally has, since each user is just running flat normal X, but fully and independently of the other X user. Am I mistaken in how I understand Xnest and Xephyr? Right, I think the vnc / Xnest / Xephyr suggestions assume you've got one "main" user accessing the sessions that belong to the other users. I don't really know enough to comment on how much any of this helps with security. -- James
Re: multiple simultaneous X sessions?
> Rather, I'm looking for a full separation between the users, > nothing shared but the obsd kernel and hardware, and no more overhead for > each one than X normally has, since each user is just running > flat normal X, but fully and independently of the other X user. Am I > mistaken in how I understand Xnest and Xephyr? It's possible to run multiple X servers. As far as I know all you would have to do is add another line to /etc/X11/xenodm/Xservers and edit /etc/ttys to not launch a tty on the console window you selected. Altough you don't really need multiple X servers for privilege separation. ssh and vnc open an untrusted connection to the X server, which you can do manually with xauth. I managed to get Firefox running as an untrusted client with the following snippet in /etc/X11/xenodm/Xsetup_0: user=_firefox auth=/home/$user/.Xauthority umask 077 xauth -f $auth generate :0 . untrusted timeout 0 chown $user:$user $auth chmod 0600 $auth And then starting it as the unprivileged _firefox user.
Re: multiple simultaneous X sessions?
On 08-24 12:38, Gleydson Soares wrote: > On Mon, Aug 24, 2020 at 09:24:35AM -0600, Luke A. Call wrote: > > What would it take for me to run more than one simultanous X session, each > > as a different user? -- I tried once a few years ago, searching, reading > > man pages, and chasing error messages, and failed at the time. > > Is it known whether it is reasonably possible with the current code? > > (This is so I can take advantage of the privilege separation > > provided by the OS, while doing different activities and programs > > programs with different informal trust levels, as separate > > users, but without the cpu overhead of using "ssh -[X|Y] ...". This was > > my normal practice in my Debian days, switching among them with > > Ctrl-Alt-FN.) > Maybe you are looking for a nested X11 via Xephyr. > See this script as example [1] > [1] https://github.com/gleydsonsoares/xdroprun And on 8-24 16:01:43, James Cook wrote: > I don't know if it's possible to do exactly what you want, but as an > > alternative, maybe you could get a similar effect using Xnest or vnc. Thanks to both for those suggestions. I've used vnc, and looked only briefly at Xnest and Xephr, but it seems they mean having code running as both users at the same time, in one X session, in other words, one user running X, and another running apps inside that same X+plus+stuff). Rather, I'm looking for a full separation between the users, nothing shared but the obsd kernel and hardware, and no more overhead for each one than X normally has, since each user is just running flat normal X, but fully and independently of the other X user. Am I mistaken in how I understand Xnest and Xephyr? (This is not in any way a complaint or criticism, just a question. I like obsd for considered reasons. :) Thanks again, Luke Call
Re: multiple simultaneous X sessions?
Hi Luke, On Mon, Aug 24, 2020 at 09:24:35AM -0600, Luke A. Call wrote: > What would it take for me to run more than one simultanous X session, each > as a different user? -- I tried once a few years ago, searching, reading > man pages, and chasing error messages, and failed at the time. > Is it known whether it is reasonably possible with the current code? > > (This is so I can take advantage of the privilege separation > provided by the OS, while doing different activities and programs > programs with different informal trust levels, as separate > users, but without the cpu overhead of using "ssh -[X|Y] ...". This was > my normal practice in my Debian days, switching among them with > Ctrl-Alt-FN.) > > Either way, thanks much for any info. > > Luke Call Maybe you are looking for a nested X11 via Xephyr. See this script as example [1] [1] https://github.com/gleydsonsoares/xdroprun
Re: multiple simultaneous X sessions?
On 2020-08-24 15:24, Luke A. Call wrote: What would it take for me to run more than one simultanous X session, each as a different user? -- I tried once a few years ago, searching, reading man pages, and chasing error messages, and failed at the time. Is it known whether it is reasonably possible with the current code? (This is so I can take advantage of the privilege separation provided by the OS, while doing different activities and programs programs with different informal trust levels, as separate users, but without the cpu overhead of using "ssh -[X|Y] ...". This was my normal practice in my Debian days, switching among them with Ctrl-Alt-FN.) Either way, thanks much for any info. Luke Call I don't know if it's possible to do exactly what you want, but as an alternative, maybe you could get a similar effect using Xnest or vnc. -- James