Does firejail rely on the application crashing out and why can't we use named pipes to .Xauthority? I'm not able to start firejail with Xpra - it has difficulty authenticating with Xorg - I've opened issues on the firejail page. However after asking on SO, as you can see, the mechanism by which Xpra is authenticating with Xorg is unclear so I thought I'd ask.
If firejail is jailing the app and Xpra, how does Xpra send the rendered Xvfb data to the Xorg server? Xorg listens ton @/tmp/X11/X0 so if you are jailed.. unless you have an open socket/data-structure that refers to the Xorg Context for your app.. how do you send Xorg any pixmap-data?
I tried debugging but strace wouldn't work How do I strace a suid/sgid program (firejail) as a normal user 'test' to see what's going wrong? This is the error I was getting in 0.17.6+dfsg-1:
Error trying to create XAUTHORITY file /root/.Xauthority: [Errno 13] Permission denied: '/root/.Xauthority' /usr/lib/xorg/Xorg.wrap: Only console users are allowed to run the X server xauth: timeout in locking authority file /root/.Xauthority Error running "xauth add :20 MIT-MAGIC-COOKIE-1 693f9be8315445118be78da81d64c319": non-zero exit code: 1 2018-10-28 19:18:30,370 2018-10-28 19:18:30,370 Xvfb command has terminated! xpra cannot continue 2018-10-28 19:18:30,371 if the display is already running, try a different one, 2018-10-28 19:18:30,371 or use the --use-display flag 2018-10-28 19:18:30,371
From what I could make of it, xpra|firejail is trying to add a cookie to /root/.Xauthority
(me) - why can't I feed a cookie to the 'test' account's Xauthority and have firejail/xpra read that? Once the app starts I can delete my copy of the cookie.
Additionally why does Xpra need to run Xvfb with permissions removed in Xwrapper.config? I can run Xvfb manually - i just need a way to feed the rendered data to Xorg - so how is Xpra doing this with auth?
First and foremost, don't use xpra 0.17.6, it is old, unsupported and full of bugs, including severe security issues. (more details here: wiki/Packaging/DistributionPackages)
Second, don't run as root, even with firejail.
Additionally why does Xpra need to run Xvfb with permissions removed in Xwrapper.config?
The vfb command line usually configured by default in the xpra packages uses Xorg command line options which are not (normally) available when running suid. (see recent CVE on the subject)
If xpra cannot start the vfb, it will not run. Figure out why you can't run it before looking into xpra. My best guess is that your outdated package tries to run the wrong Xorg binary. Switch to Xvfb or fix Xdummy to run properly for withing firejail.
I can run Xvfb manually - i just need a way to feed the rendered data to Xorg - so how is Xpra doing this with auth?
I don't understand what "feeding rendered data to Xorg" means here.
Xpra usually starts its own vfb and configures access using the xauth command. It can also use an existing display with --use-display=yes
, in which case you are responsible for ensuring that xauth access is configured. ($XAUTHORITY
)
Xpra uses xlib (via GTK) so there is no magic involved, xpra is just like any other (window manager) X11 client application.
Not heard back.
I gave up :p I figured out the auth stuff and how Xpra works - it's in the README/ASCII-dia but I didn't want to build. I'll try again later but it didn't seem worth it - compiling a gigantic firejail+Xpra+Xvfb just for one app-firefox. I also did some reading on trying to get it to work with linux native tools - Yama, Namespaces, cgroups etc but.. of course X is the problem..
You should use x11docker.
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2014