[lug] Firefox chroot

Daniel Webb lists at danielwebb.us
Tue Feb 27 00:43:10 MST 2007

On Mon, Feb 26, 2007 at 10:20:58PM -0700, David L. Anselmi wrote:

> If you're forwarding the X session (using SSH) from the chroot to your X 
> server I'd think you'd be vulnerable.  Not that that's a very common 
> config for people to attack--it would have to combine more than one exploit.

Is there a difference between forwarding X sessions over SSH and what I'm
doing?  I just run the program in the chroot with DISPLAY=:1, and also do
"xhost inet:localhost" on the server side, so there's no X server running on
the chroot side.  I don't think it's any different than if I was in another
state and using SSH to forward the X connection over TCP/IP.  I don't fully
understand how it works, though, so I could be confused.
> If you run a separate X server in the chroot (sounds like you do) then 
> your security would depend on vulnerabilities in the VNC client.  Again, 
> not a likely config for exploits to run against.

I guess adding more steps before compromise is always a good thing, I'm just
wondering how good my security is.  

Does anybody know if a X program can see any and every keystroke on the X
server it's connected to, or does the window manager filter the keystrokes and
only send the appropriate ones to the clients that need it?

I found these:


and the answer appears to be "any X application can see the keys of any other
X application", with this exception:

Xterms mechanism for hindering other X clients to read the keyboard
during entering of sensitive data, passwords etc. is by using the
XGrabKeyboard() call. Only one process can grab the keyboard at any
one time. To activate the Secure Keyboard option, choose the Main
Options menu in your Xterm window (CTRL+Left mouse button) and select
Secure Keyboard.  If the colors of your xterm window inverts, the
keyboard is now Grabbed, and no other X client can read the KeySyms.

So what I should really be doing is running a VNC X server in the chroot and
connecting to the VNC server from the main application server instead of
forwarding the X connection out of the chroot (in other words, connect into
the chroot instead of connecting out).


More information about the LUG mailing list