Rendered at 03:08:07 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
mid-kid 3 hours ago [-]
For an article written late last year I hoped for a little more awareness of how massive a security hole granting full, unfiltered access to the X11 server is. Granted, any sandboxing is better than none, but firefox is one of the few apps that already sandboxes itself really well, and with a blog title like that it might be good to touch upon things like nested X servers such as Xephyr.
ChocolateGod 59 minutes ago [-]
Correct me if I'm wrong, but passing through the X socket gives a giant sandbox escape as any application can control/see any other application, including a root terminal in a GUI app.
Chu4eeno 35 minutes ago [-]
No, X11 supports pretty detailed per-application access control, similar to selinux (XACE).
The author of the phoenix x server has blogged about it, iirc.
ChocolateGod 27 minutes ago [-]
> XACE
Which is configured by default on what distros?
LtWorf 4 hours ago [-]
Or one could just use firejail, which comes with a number of pre made profiles for common applications.
nosioptar 3 hours ago [-]
The sandbox command works well on systems using SELinux.
Hard for me to take that one seriously.. For example they call out byte swapping for endianness as the type of cruft holding back X11. Such a trivial thing to be concerned enough to put in the readme... (I guess Phoenix is also putting this..) Seems like mostly authored by Claude too.
The author of the phoenix x server has blogged about it, iirc.
Which is configured by default on what distros?
https://docs.redhat.com/en/documentation/red_hat_enterprise_...
I have little experience with lxc but I guess waypipe could be an option too.
https://github.com/X11Libre/xserver/blob/master/doc/Xnamespa...
edit: phoenix was the name: https://github.com/external-mirrors/phoenix#phoenix