xpra icon
Bug tracker and wiki

Opened 3 weeks ago

Closed 3 days ago

Last modified 3 days ago

#2014 closed task (needinfo)

How is Xpra authenticating with the Xorg server to send Xvfb rendered data?

Reported by: Veek Owned by: Veek
Priority: minor Milestone: 2.5
Component: core Version: 0.17.x
Keywords: authentication Xorg Cc:

Description (last modified by Antoine Martin)

Does firejail rely on the application crashing out and why can't we use named pipes to .Xauthority?
I'm not able to start firejail with Xpra - it has difficulty authenticating with Xorg - I've opened issues on the firejail page. However after asking on SO, as you can see, the mechanism by which Xpra is authenticating with Xorg is unclear so I thought I'd ask.

If firejail is jailing the app and Xpra, how does Xpra send the rendered Xvfb data to the Xorg server? Xorg listens ton @/tmp/X11/X0 so if you are jailed.. unless you have an open socket/data-structure that refers to the Xorg Context for your app.. how do you send Xorg any pixmap-data?

I tried debugging but strace wouldn't work
How do I strace a suid/sgid program (firejail) as a normal user 'test' to see what's going wrong?
This is the error I was getting in 0.17.6+dfsg-1:

Error trying to create XAUTHORITY file /root/.Xauthority: [Errno 13] Permission denied: '/root/.Xauthority'
/usr/lib/xorg/Xorg.wrap: Only console users are allowed to run the X server
xauth:  timeout in locking authority file /root/.Xauthority
Error running "xauth add :20 MIT-MAGIC-COOKIE-1 693f9be8315445118be78da81d64c319": non-zero exit code: 1
2018-10-28 19:18:30,370 
2018-10-28 19:18:30,370 Xvfb command has terminated! xpra cannot continue
2018-10-28 19:18:30,371  if the display is already running, try a different one,
2018-10-28 19:18:30,371  or use the --use-display flag
2018-10-28 19:18:30,371 

From what I could make of it, xpra|firejail is trying to add a cookie to /root/.Xauthority (me) - why can't I feed a cookie to the 'test' account's Xauthority and have firejail/xpra read that? Once the app starts I can delete my copy of the cookie.

Additionally why does Xpra need to run Xvfb with permissions removed in Xwrapper.config? I can run Xvfb manually - i just need a way to feed the rendered data to Xorg - so how is Xpra doing this with auth?

Change History (3)

comment:1 Changed 3 weeks ago by Antoine Martin

Description: modified (diff)
Owner: changed from Antoine Martin to Veek

First and foremost, don't use xpra 0.17.6, it is old, unsupported and full of bugs, including severe security issues. (more details here: wiki/Packaging/DistributionPackages)

Second, don't run as root, even with firejail.

Additionally why does Xpra need to run Xvfb with permissions removed in Xwrapper.config?

The vfb command line usually configured by default in the xpra packages uses Xorg command line options which are not (normally) available when running suid. (see recent CVE on the subject)

If xpra cannot start the vfb, it will not run. Figure out why you can't run it before looking into xpra.
My best guess is that your outdated package tries to run the wrong Xorg binary. Switch to Xvfb or fix Xdummy to run properly for withing firejail.

I can run Xvfb manually - i just need a way to feed the rendered data to Xorg - so how is Xpra doing this with auth?

I don't understand what "feeding rendered data to Xorg" means here.
Xpra usually starts its own vfb and configures access using the xauth command. It can also use an existing display with --use-display=yes, in which case you are responsible for ensuring that xauth access is configured. ($XAUTHORITY)
Xpra uses xlib (via GTK) so there is no magic involved, xpra is just like any other (window manager) X11 client application.

comment:2 Changed 3 days ago by Antoine Martin

Resolution: needinfo
Status: newclosed

Not heard back.

comment:3 Changed 3 days ago by Veek

I gave up :p I figured out the auth stuff and how Xpra works - it's in the README/ASCII-dia but I didn't want to build. I'll try again later but it didn't seem worth it - compiling a gigantic firejail+Xpra+Xvfb just for one app-firefox. I also did some reading on trying to get it to work with linux native tools - Yama, Namespaces, cgroups etc but.. of course X is the problem..

Note: See TracTickets for help on using tickets.