Jonathan Thornburg <jth...@astro.indiana.edu> wrote:
> Summary
> -------
> As described in another thread
> (<http://marc.info/?l=openbsd-misc&m=141677224322425&w=1>),
> I'm trying to run firefox as a non-privileged user _firefox, talking
> to my X server (no Xephyr yet) via an ssh tunnel. But I've discovered
> a serious flaw in this scheme: cut-n-paste is completely broken. In
> fact, it looks like cut-n-paste from any X client with a diferent
> uid/gid than the X server is broken. :(
>
> My basic question is, is there any way to fix this?
This is the point, of course, that the client cannot communicate with
the host X server. It's not just from a different uid. I think the
easiest solution would be to write a script which you can run in a host
xterm "ffpaste ..." which makes ... the clipboard in the Xephyr window.
Of course you could probably also write a script to sync the clipboard
automatically (and in fact this is the top result for a Google search
"Xephyr copy paste"), but perhaps this would default the purpose of
running Firefox in a different X server.
Oh I'm sorry, I read that wrong. If you use Xephyr the clients cannot
communicate clipboards (of course they can communicate otherwise if they
are running as the same user). The above is right for a client in
Xephyr.
I can, however, paste into an X client running on another machine in the
same X server. I don't have a local SSH server and didn't try that, but
I fail to see why that shouldn't work since it goes over the network
irregardless of what user the process runs as. But that X client can
talk to all the other X clients on this server and that defeats the
whole point of all this.
A note however: it would be very nice if Firefox would fork, chroot, and
drop privileges on the renderer. Perhaps I shouldn't say this without
having Mozilla's opinion on such a scheme, but Mozilla seems more
interested in shiny redesigns. As Theo said to your inquiry about a
secure image viewer, such behavior is rare outside OpenBSD.
>
>
>
> Details:
> -------
>
> Lenovo Thinkpad T60, 3GB RAM + 6GB swap. Fresh install of OpenBSD 5.6
> from the CD, updated to -stable as of 2014-11-19. My usual login is
> in login class staff, for which I've edited /etc/login.conf to set the
> memoryuse, datasize, and stacksize limits (all both -cur and -max) to
> 'infinity', so there should be enough memory for firefox to run ok.
>
> I use twm(1) as my window manager. firefox is the 5.6 package, but
> I've renamed the binary:
>
> # cd /usr/local/bin; mv firefox firefox.bin
>
> I used adduser(8) to create a new unpriviliged user _firefox,
> group _firefox, no other group memberships, login class staff.
> I've set up ssh authentication so I can ssh to _firefox.
>
> Now, in an xterm, call it xterm #1:
> % ssh -X -i $HOME/.ssh/firefox_id_rsa _firefox@localhost
>
> This gives me a shell (in that same xterm #1) running as uid/gid
> _firefox, with ssh proxying and tunneling X back to my X server.
> (I'm not using Xephyr(1) at this point.)
>
> Now, in the _firefox shell,
>
> $ firefox.bin &
>
> I get a a couple of warning messages that the ssh proxy/tunnel is
> lacking some X protocol extensions
>
> Xlib: extension "RANDR" missing on display "localhost:10.0".
> Xlib: extension "MIT-SHM" missing on display "localhost:10.0".
>
> but then firefox starts and runs fine.
>
> Now suppose I try to cut-n-paste some text from the firefox window to
> (say) a vi (in insert mode) which is running in some other xterm window
> (call this one xterm #2). [For twm, 'cut-n-paste' means double- or
> triple-left-click to select, then middle-click to paste.] This goes
> badly awry:
> * the cut appears to work normally (text is highlighted)
> * the paste appears to be a no-op, ... but
> * a few seconds later, the target xterm window (#2) disappears (and
> the vi and xterm processes are gone)
>
>
>
> To see if this is a firefox issue, or a more generic problem with
> cut-n-paste between X clients running with different uid/gid, I tried
> starting an xterm instead of a firefox process. That is, from the
> _firefox shell, I typed
>
> $ xterm &
>
> and in the newly-started xterm (call it xterm #3) typed a few commands
> to put some text on the screen
>
> $ echo hello world
> hello world
> $ banner hello
>
> # # ###### # # ####
> # # # # # # #
> ###### ##### # # # #
> # # # # # # #
> # # # # # # #
> # # ###### ###### ###### ####
>
> $
>
> then I tried to cut-n-paste the banner 'hello' text from xterm #3
> into somewhere else.
>
> The result was that the cut operation killed the xterm #3 window, with
> the following X error message displayed back in the _firefox shell
> running in xterm #1:
>
> $ xterm &
> [1] 25801
> $ xterm: warning, error event received:
> X Error of failed request: BadAccess (attempt to access private resource
> denied)
> Major opcode of failed request: 18 (X_ChangeProperty)
> Serial number of failed request: 599
> Current serial number in output stream: 600
>
> [1] + Done (83) xterm
> $
>
> (Interestingly, I had no problem cut-n-pasting that error text from
> xterm #1 into a vi (in insert mode) over in still another xterm window.
>
>
>
> What I conclude from all of this is that (apparently) my window manager
> and/or X server have noticed that {firefox, xterm #3} are running as
> uid/gid _firefox/_firefox, while my {window manager, X server} have my
> usual (different) uid/gid, so the cut-n-paste attempt (indeed, the cut
> itself, judging by the xterm error message) is blocked.
>
> So... questions:
> * is this indeed what's going on?
> * it's been a long time since I tried cut-n-paste from a 'remote'
> window; is this what usually happens [I'll try some tests...]?
> * what piece of software is enforcing this security policy?
> (once I find that out, then I can investigate if/how the policy
> might be configured to be more suitable to my needs)
> * given my underlying goal of trying to exploit-mitigate firefox
> (<http://marc.info/?l=openbsd-misc&m=141616701418506&w=1>),
> what other options are there for handling cut-n-paste?
> (Maybe xcutsel(1) and/or xclipboard(1) would be useful here?)
>
> ciao,
>
> --
> -- "Jonathan Thornburg [remove -animal to reply]"
> <jth...@astro.indiana-zebra.edu>
> Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
> "There was of course no way of knowing whether you were being watched
> at any given moment. How often, or on what system, the Thought Police
> plugged in on any individual wire was guesswork. It was even conceivable
> that they watched everybody all the time." -- George Orwell, "1984"
-- Martin Brandenburg
