For discussion of Alpine Linux development and developer support

4 3

[alpine-devel] main/xorg-server: Enable xcsecurity to allow ssh X11 forwarding

Jean-Louis Fuchs
Details
Message ID
<20170304135150.GA5099@angua.1042.ch>
Sender timestamp
1488635510
DKIM signature
missing
Download raw message
Hi

Could somebody take a look at this issue:

http://bugs.alpinelinux.org/issues/6696

I know I should have sent a patch to the aports list, but I missed the
wiki-page about patches. I don't want to duplicate things, so I hope
we can solve this on the bug-tracker.

Best,
    Jean-Louis
Igor Falcomatà
Details
Message ID
<de6d5b2f-196a-669c-38d5-517b2093909e@cioccolatai.it>
In-Reply-To
<20170304135150.GA5099@angua.1042.ch> (view parent)
Sender timestamp
1488639441
DKIM signature
missing
Download raw message
On 03/04/2017 02:51 PM, Jean-Louis Fuchs wrote:

> Could somebody take a look at this issue:
>
> http://bugs.alpinelinux.org/issues/6696
>
> I know I should have sent a patch to the aports list, but I missed the
> wiki-page about patches. I don't want to duplicate things, so I hope
> we can solve this on the bug-tracker.

AFAIK, XCSECURITY are disabled on most (linux) Xorg packages, and on 
freebsd and cygwin too (just search xcsecurity/xsecurity on google).

I just tried some weeks ago to use ssh -X on a OpenBSD X11 server, and 
many applications just crashes with "bad access" or similar, as noted in 
this mail:
https://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html

Of course it is still possible to use ssh -Y to connect to Xorg 
remotely, using the "trusted forwarding".

ciao,
I.


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
lists@cioccolatai.it
Details
Message ID
<662e9ec7-a3d9-5f07-1646-a05cc409a046@cioccolatai.it>
In-Reply-To
<20170304135150.GA5099@angua.1042.ch> (view parent)
Sender timestamp
1488639628
DKIM signature
missing
Download raw message
On 03/04/2017 02:51 PM, Jean-Louis Fuchs wrote:

> Could somebody take a look at this issue:
>
> http://bugs.alpinelinux.org/issues/6696
>
> I know I should have sent a patch to the aports list, but I missed the
> wiki-page about patches. I don't want to duplicate things, so I hope
> we can solve this on the bug-tracker.

AFAIK, XCSECURITY are disabled on most (linux) Xorg packages, and on 
freebsd and cygwin too (just search xcsecurity/xsecurity on google).

I just tried some weeks ago to use ssh -X on a OpenBSD X11 server, and 
many applications just crashes with "bad access" or similar, as noted in 
this mail:
https://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html

Of course it is still possible to use ssh -Y to connect to Xorg 
remotely, using the "trusted forwarding".

ciao,
I.


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Jean-Louis Fuchs
Details
Message ID
<20170304155400.GA25823@angua.1042.ch>
In-Reply-To
<662e9ec7-a3d9-5f07-1646-a05cc409a046@cioccolatai.it> (view parent)
Sender timestamp
1488642840
DKIM signature
missing
Download raw message
Hi I

On Sat, Mar 04, 2017 at 04:00:28PM +0100, lists@cioccolatai.it wrote:
> On 03/04/2017 02:51 PM, Jean-Louis Fuchs wrote:
> 
> > Could somebody take a look at this issue:
> > 
> > http://bugs.alpinelinux.org/issues/6696
> > 
> > I know I should have sent a patch to the aports list, but I missed the
> > wiki-page about patches. I don't want to duplicate things, so I hope
> > we can solve this on the bug-tracker.
> 
> AFAIK, XCSECURITY are disabled on most (linux) Xorg packages, and on freebsd
> and cygwin too (just search xcsecurity/xsecurity on google).

ssh -X works on Debian, Arch, Ubuntu, Fedora, CentOS, SuSE.
The only distro that I know that has no xcsecurity is alpine.

> I just tried some weeks ago to use ssh -X on a OpenBSD X11 server, and many
> applications just crashes with "bad access" or similar, as noted in this
> mail:
> https://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html

All my applications work without problems. We are using it since more
than 10 years, never had a single problem.
 
> Of course it is still possible to use ssh -Y to connect to Xorg remotely,
> using the "trusted forwarding".

Well, I don't want to do trusted forwarding, because you have to trust
the machine you forward to 100%.

ssh -X is definitely nothing special, instable or esoteric. But I
don't understand the security implications completely, so I can accept
a well-founded no.

Best,
    Jean-Louis
lists@cioccolatai.it
Details
Message ID
<288e9db1-2142-62fc-2974-9194bc8ac0f9@cioccolatai.it>
In-Reply-To
<20170304155400.GA25823@angua.1042.ch> (view parent)
Sender timestamp
1488649985
DKIM signature
missing
Download raw message
On 03/04/2017 04:54 PM, Jean-Louis Fuchs wrote:

>>> Could somebody take a look at this issue:
>>> http://bugs.alpinelinux.org/issues/6696

NB: i'm not the/a mantainer of the xorg package (on any other package)

>>> I know I should have sent a patch to the aports list, but I missed the
>>> wiki-page about patches. I don't want to duplicate things, so I hope
>>> we can solve this on the bug-tracker.
>>
>> AFAIK, XCSECURITY are disabled on most (linux) Xorg packages, and on freebsd
>> and cygwin too (just search xcsecurity/xsecurity on google).
>
> ssh -X works on Debian, Arch, Ubuntu, Fedora, CentOS, SuSE.
> The only distro that I know that has no xcsecurity is alpine.

Ok, my fault, when I was researching on this subject some time ago, I 
found that these extension where disabled by default by the upstream 
(generic reasons like "obsolete" a/o "insecure") in favor of the new 
XACE extensions (which seems to be at least not used/incomplete, maybe 
someone has more updated infos?)

After that various distro (debian, red-hat, ..) have re-enabled it, eg:
https://www.redhat.com/archives/rhsa-announce/2013-November/msg00028.html
http://metadata.ftp-master.debian.org/changelogs/main/x/xorg-server/stable_changelog

but i'm on Slackware (and Alpine) so I didn't noticed it :)

>> I just tried some weeks ago to use ssh -X on a OpenBSD X11 server, and many
>> applications just crashes with "bad access" or similar, as noted in this
>> mail:
>> https://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html
>
> All my applications work without problems. We are using it since more
> than 10 years, never had a single problem.
 > ssh -X is definitely nothing special, instable or esoteric. But I

That's interesting, good to know; I was also using ssh -X a lot, but 
since it was disabled upstream I got this kind of troubles all the times 
I tried; probabily I have to test again, using the same distro/settings 
on both clients and server.

> don't understand the security implications completely, so I can accept
> a well-founded no.

Did you already tried to recompile xorg on alpine with -xcsecurity enabled?

ciao,
I.


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---