urxvt synthetic events - security hole?

Benjamin R. Haskell rxvt-unicode at benizi.com
Thu Jul 15 13:29:35 CEST 2010


On Thu, 15 Jul 2010, Ben Price wrote:

> On Thu, Jul 15, 2010 at 02:09:23AM +0200, Marc Lehmann wrote:
> > Accepting synthetic events is, of course, not a security hole.
> 
> Perhaps I am confused, but wouldn't this mean any program could run 
> arbitary commands via urxvt? Obviously this wouldn't normally be a 
> problem, but what about if I had a ``su'' session open? This would (I 
> think) allow arbitary commands to be run as root.

Due to the way X11 works, if a process has the ability to generate 
synthetic X11 events, you're already screwed.  Via the Cygwin FAQ entry 
on X11 forwarding[1], I found a broken link to the NSA's SELinux group's 
explanation of the core problem (correct link: [2]):

"""
The X protocol for graphical applications was not designed with security 
as a major concern. The X server applies limits to initial connections 
from clients, but does not limit actions of connected clients. Any 
client on the system can read the state of any objects in the server, 
can receive and monitor any and all input, and can manipulate any 
window.
"""

-- 
Best,
Ben

[1] Cygwin FAQ on X11 forwarding
http://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html

[2] SELinux requirements for securing X11
http://www.nsa.gov/research/_files/selinux/papers/x11/x93.shtml




More information about the rxvt-unicode mailing list