Discussion:
How exactly is the Xorg MIT-COOKIE being sent by the application to the server - does Xlib do that?
Veek M
2018-10-17 00:54:32 UTC
Permalink
I wanted to feed my cookie to user goof via .Xauthority so I created a
named pipe to do it. It works BUT very flakily. I found that I need to
write the cookie numerous times till the application (hexchat/firefox)
loads completely and then kill the feed-cookie program.

1. Why do I need to feed the cookie numerous times?
2. Who is reading the .Xauthority cookie file? Xlib or GTK or the
hexchat/firefox app?
3. Anyway to magically/easily feed my cookie to whatever needs in
(above:2) vs using a named pipe.

I'm trying to make my Xorg more secure by preventing storage of the
cookie beyond the app startup.
https://www.nsa.gov/resources/everyone/digital-media-center/publications/research-papers/assets/files/securing-the-x-window-system-with-selinux-report.pdf

My idea was that if hexchat gets hacked and the file doesn't exist the
hacker can't connect to my Xorg instance and mess around. However he
might be able to dump his memory and read the cookie out?? I was
planning to use Xpra (just a thought)
_______________________________________________
***@lists.x.org: X.Org support
Archives: http://lists.freedesktop.org/archives/xorg
Info: https://lists.x.org/mailman/listinfo/xorg
Your subs
Alan Coopersmith
2018-10-17 01:18:50 UTC
Permalink
Post by Veek M
I wanted to feed my cookie to user goof via .Xauthority so I created a
named pipe to do it. It works BUT very flakily. I found that I need to
write the cookie numerous times till the application (hexchat/firefox)
loads completely and then kill the feed-cookie program.
1. Why do I need to feed the cookie numerous times?
Good question.
Post by Veek M
2. Who is reading the .Xauthority cookie file? Xlib or GTK or the
hexchat/firefox app?
It used to be libX11, but now it's libxcb which libX11 calls into.
(Both the old libX11 code and the new libxcb code call libXau to
read the .Xauthority file, and they then pass the cookie to the
X server.)

https://cgit.freedesktop.org/xcb/libxcb/tree/src/xcb_auth.c
https://gitlab.freedesktop.org/xorg/lib/libxau
Post by Veek M
3. Anyway to magically/easily feed my cookie to whatever needs in
(above:2) vs using a named pipe.
Not that I know of.
--
-Alan Coopersmith- ***@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/alanc
_______________________________________________
***@lists.x.org: X.Org support
Archives: http://lists.freedesktop.org/archives/xorg
Info: https://lists.x.org/mailman/listinfo/xorg
Your subscription add
Veek M
2018-10-31 03:30:37 UTC
Permalink
You can setup Xorg to listen only on a UNIX DOMAIN socket:
*Xorg -nolisten tcp -nolisten inet -nolisten inet6 -listen unix
-nolisten local :0 -seat seat0 vt7 -novtswitch&*

The Xorg process must receive a COOKIE on this /tmp/X11/X0 and
@/tmp/X11/X0 device, that matches its cookie - it then creates an
internal CONTEXT that is associated with the cookie-senders IP:PORT IF
this were a socket (TCP etc) since we've disabled TCP, the pipe is
used but how does Xorg validate connections on that one pipe? Does it
use/generate a different token (similar to what FTP does - one port to
negotiate and another for xfer) or is the cookie passed in for every
API call the Xlib/Client makes AFTER XOpenWIndow()?

(I read those docs but I'm not an expert on Xorg and its API and it
has over 10 O'Reilly manuals so..)
_______________________________________________
***@lists.x.org: X.Org support
Archives: http://lists.freedesktop.org/archives/xorg
Info: https://lists.x.org/mailman/listinfo/xorg
Your subscription address: %(user_addr
Alan Coopersmith
2018-10-31 05:30:35 UTC
Permalink
Post by Veek M
*Xorg -nolisten tcp -nolisten inet -nolisten inet6 -listen unix
-nolisten local :0 -seat seat0 vt7 -novtswitch&*
The Xorg process must receive a COOKIE on this /tmp/X11/X0 and
@/tmp/X11/X0 device, that matches its cookie - it then creates an
internal CONTEXT that is associated with the cookie-senders IP:PORT IF
this were a socket (TCP etc) since we've disabled TCP, the pipe is
used but how does Xorg validate connections on that one pipe? Does it
use/generate a different token (similar to what FTP does - one port to
negotiate and another for xfer) or is the cookie passed in for every
API call the Xlib/Client makes AFTER XOpenWIndow()?
Just like a TCP socket, every time an application connects to a
Unix domain socket or named pipe, it causes a new file descriptor
to be created in the X server. In the connection setup on that
file descriptor the client would send the cookie if required, and
the X server then marks that file descriptor as authenticated.
--
-Alan Coopersmith- ***@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/alanc
_______________________________________________
***@lists.x.org: X.Org support
Archives: http://lists.freedesktop.org/archives/xorg
Info: https://lists.x.org/mailman/listinfo/xorg
Your subscription address: %
Loading...