Re: Trusted and Untrusted X
From: Holger van Lengerich (list-secureshell_at_nospam.snakeoil.de)
Date: Wed, 8 Jun 2005 22:07:19 +0200 To: Don C Weber <firstname.lastname@example.org>
-----BEGIN PGP SIGNED MESSAGE-----
> My understanding so far is that normally X forwarding is defaulted to
> untrusted. This limits the capabilities of the user so that they cannot
> easily gather information from other windows handled by the X server (i.e.
> keystroke monitoring, etc.). By using the "-Y" option the user is now able
> to access things normally protected by the X server. This is notably
> necessary to use Perl/TK over these connections. I guess this is because
> Perl/TK is making calls that are normally protected by the X server.
> My question is this. Is my description accurate?
> Also, why would they
> let the clientside handle this and not provide an option on the serverside
> to control the access privileges of the incoming users?
As you are trying to protect the X-Server on the SSH-clientside, the
SSH-serverside has to be regarded as untrusted.
> Are there other regular instances where trusted X is necessary?
As you pointed out already trusted X forwarding is necessary if you run X
applications which won't work with untrusted X11 cookies.
Some X11 applications may start normally with an untrusted X cookie, but will
crash as soon as they try to access X resources not available to untrusted
(E.g. an xterm with an untrusted cookie will crash if you try to cut'n'paste
to and from it. - At least it did when I checked last year. ;-) )
[BTW: For my GCIH practical I wrote a paper (http://snakeoil.de/gcih.pdf) about
how trusted X11-Forwarding can easily be exploited to gain access to the
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
-----END PGP SIGNATURE-----