LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

How about running untrusted applications?

How about running untrusted applications?

Posted Apr 24, 2012 11:44 UTC (Tue) by gmatht (guest, #58961)
In reply to: LFCS 2012: X and Wayland by dlang
Parent article: LFCS 2012: X and Wayland

There has been research into secure GUIs which minimize an applications ability to interfere with other applications running on the same screen, with some attempts to retrofit this to UNIX. For example the Plash Powerbox uses preload tricks to transparently replace the GTK file open dialog box with a powerbox that hands back the right to open the file the user has chosen (but none of the users other files which are otherwise inaccessible due to chroot trickery).

Unfortunately X isn't especially well prepared to deal with hostile clients. Potentially a simpler and more modern system could be more secure. It seems to me that if the clients are responsible for drawing their own decorations that would instead make a secure GUI harder. The secure GUIs rely on, for example, windows titles being correct even in the case of a hostile client. This would seem hard to ensure if the API encouraged applications to draw their own decorations.

(Log in to post comments)

How about running untrusted applications?

Posted Apr 24, 2012 13:51 UTC (Tue) by dgm (subscriber, #49227) [Link]

> The secure GUIs rely on, for example, windows titles being correct even in the case of a hostile client.

A very poor assumption, if you ask me.

How about running untrusted applications?

Posted Apr 24, 2012 14:15 UTC (Tue) by renox (subscriber, #23785) [Link]

>> The secure GUIs rely on, for example, windows titles being correct even in the case of a hostile client.
> A very poor assumption, if you ask me.

Uh? If the window manager is in the server, that's not such a bad assumption!
For example you can divide your applications into trusted and untrusted one, the window tittle being very different in both cases..
With CSD, obviously you can't do this.

How about running untrusted applications?

Posted Apr 24, 2012 16:11 UTC (Tue) by dgm (subscriber, #49227) [Link]

Correct me if I'm wrong but:
1. Aren't X11 applications able to specify their window title?
2. Aren't X11 applications able to override the WM redirection if they ask to? And finally...
3. Aren't server side decorations something exclusive of X? meaning that applications relying on this would not be portable to Windows or OSX?

How about running untrusted applications?

Posted Apr 24, 2012 16:32 UTC (Tue) by renox (subscriber, #23785) [Link]

> Correct me if I'm wrong but:
> 1. Aren't X11 applications able to specify their window title?

Of course they are, but this doesn't mean that a window manager cannot get its own way to check whether the application is trusted or not (not so simple in practive but doable I think) and display a trust indicator next to the window tittle.

Not sure what you mean about your point 2, but clearly untrusted applications must be restricted in what they're allowed to do (no real fullscreen, no input redirection, etc).

> 3. Aren't server side decorations something exclusive of X? meaning that applications relying on this would not be portable to Windows or OSX?

Portable applications exist already today with X and Windows/OS X, so I'm not sure what is your point.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds