this is truly incredible: https://github.com/X11Libre/xserver/pull/1627/files

they are using system(3) inside a security-critical domain (the display server).

but yes, sure, my refusal of xlibre on security grounds is the problem

@ariadne
breaking news: the x11 fork for chuds learning in realtime why it's useful to keep gay furries on your security team

@ariadne Qualcomm-tier code (Quectel EG25-G firmware used system(3) too). I don't think even metux would accept this PR, but he does seem to have reviewed it and didn't mention use of system(3) as a problem.

@noisytoot system(3) should NEVER be used in a privileged security context, you can do all sorts of nasty things

@ariadne oh my fucking god why are they doing it like that

@Dio9sys @ariadne (cry can't we have a managed x11 fork that keeps the gay furries involved? pretty please? Ill create it if we need it)

@erikarn @Dio9sys that is what #wayback is intended to provide

@ariadne the x server for fascists is made by idiots. making it less secure in combination of being in a time where multiple desktops are completely abandoning the X Window System in favor of wayland. absolute cinema

@ariadne Not only that, appears (from a quick glance) to pass a window title into system, I think you could pop this from a browser window requesting screen sharing?:

https://github.com/X11Libre/xserver/pull/1627/files#diff-17ab6dac138c48f85820915df25942b72baf1acb51d289e2d2eacc6ed8f359b8R2287

then

https://github.com/X11Libre/xserver/pull/1627/files#diff-17ab6dac138c48f85820915df25942b72baf1acb51d289e2d2eacc6ed8f359b8R2293

then

https://github.com/X11Libre/xserver/pull/1627/files#diff-17ab6dac138c48f85820915df25942b72baf1acb51d289e2d2eacc6ed8f359b8R2316

@ariadne also why is it suddenly on github

@tauon hasn't it always been on github?

@ariadne In an academic sense, how bad is this actually? Assuming that X11 is already up and running before anybody can log in (no LD_PRELOAD or ENV fuckery) and "which" is a root-owned binary.

@developing_agent there's a few different ways to exploit it

- if you can control PATH (or the binaries in the directories referenced by PATH), you can run whatever you want in an elevated context

- there is an unescaped %s format string passed directly to the dialog application, that %s is a window title

- probably other things i'm not thinking about right now

@ariadne @Dio9sys i mean i'm specifically asking about x11/xorg here because *waves hands* old hardware support too?

@erikarn @Dio9sys yes, we are working on enabling 2D-only compositing in wayback

@ariadne Wait, so I just need to sneak in a binary named zenity to the front of the PATH to get it executed in an elevated security context?

@ariadne @Dio9sys ooo links please!

@erikarn @Dio9sys nothing to link yet, but someone gave a talk at XDC about their plans to build a generic 2D compositing library for non-GPU chips (e.g. old school accelerated VGA chips), which could be used as a backend for wlroots

@ariadne they should fully spell out "/usr/bin/which". Bam, fixed it.

@rotopenguin nah

@erikarn @Dio9sys @ariadne I mean come on guys, it might be silly but what is the danger? they're calling which

If you have a compromised version of which on your computer or in root's PATH you're already boned. So this is a bit of an overreaction. We don't need to dork dunk on people all the time.

@feld @Dio9sys @erikarn @ariadne There's at least one place where they're building commands using sprintf, with what at a cursory glance looks like "user-provided data", then simply call system(command) (line 660 in file shm.c, I suspect that client_name is under attacker control).

So, not guaranteed to be exploitable, but...

@vatine @feld@friedcheese.us @Dio9sys @erikarn

yes, this is not about using which at all. it is about the system(command) at line 660.

also there is xmessage(1) which is already part of the X11 distribution

@e_nomem @ariadne which (at least on... wherever I last read the manpage) doesn't start with PATH, annoyingly - it starts with some built-in paths like /bin for Some Fucking Reason.

(that doesn't excuse this very funny "security-feature", of course)

@barometz The "security-feature" is just *chef's kiss*

I was actually thinking that, if the user is not legitimately using zenity, getting a binary named zenity _anywhere_ in the PATH is sufficient to pop the box since it's checked first.

That's putting aside a process that names itself something like "'; rm -rf --no-preserve-root /; echo"

@ariadne

@e_nomem @barometz @ariadne I'm not sure how you'd do it though? Since $PATH is going to be inherited from whenever X started?

@developing_agent @e_nomem @barometz the real problem isn't the which stuff, it is the system(command) later that was generated using sprintf()

@ariadne system(), the gift that keeps on giving.

But the whole patch looks very wtf.

@ariadne ngl I'd straight up forgotten that system(3) even existed since using it is such a bad idea

@ariadne@treehouse.systems

• reads toot
• vague confusion
• man 3 system
• HOLY FORKING SHIRTBALLS

Yeah, that's baaaaad.

@ariadne @Dio9sys that's pretty neat looking.

Thing is, the SGI hardware i'm hacking on doesn't even expose a linear framebuffer. It ranges from "you get to blit things into the framebuffer, but you need to use DMA/PIO to read/write regions if you're not doing shapes" to "oh yeah i have a framebuffer but it's in like 32x32 or 64x64 tiles.

I'm filling in the missing ye olde acceleration stuff for the newport graphics x11 acceleration. It's tedious, but fun. No linear framebuffer.

@ariadne i feel like there's no good way to do what they're doing without the xserver drawing the prompt itself, or some sort of tight coupling with the wm/xcompositor

@Dio9sys @ariadne we need an x11 fork for woke

@haematophage it's called wayback

@ariadne ok, so what? it's a fixed command string, no parameters are passed which could be escaped, if your `which` is compromised you are done for either way. I see nothing wrong with it.

@ariadne also i agree with inorton's comment

@gorplop so you think that this code will be okay when it encounters a process named " && (){ :|:&; }; :& ? why do you think that? just wondering.

@gorplop and if you think that is not possible, you may want to read about setprocname(3) and setproctitle(3).

@ariadne oh well, ok, that code sucks. Still, thats an open PR.

@gorplop an open PR which metux has reviewed but not rejected. the point is that there is not acceptable quality control in Xlibre given the privileged nature of display servers.

@ariadne it's not merged, thats all i care for

@gorplop as this is a process and leadership problem, there are hundreds more which have been merged. many of which have been unmerged in upstream.

there are quite a few reactionaries in my comments, some of which have been defederated in their entirety.

for the others:

1. although the system("which ...") use is silly, that isn't the problem here.

2. what do you think will happen when the code in this PR encounters a process named `" && :() { : | : & }; :&`? will it safely handle such a process name? before saying "that's impossible" please read setprocname(3), setproctitle(3), or in the case of Linux, understand that argv[0] is mutable.

3. yes, it is an open PR. it is also reflective of the code quality of many other PRs which have been merged to Xlibre already. how do you think that impacts its security record?

and yes, sometimes i post these things as bait to find out if we are missing alt-right reactionary servers that we need to defederate. it's like vaccines but for social media ❤️

vaccines are good btw

by the way, the ":() { : | : & }; :&" part earlier? that's a forkbomb. don't run it unless you want to deal with the consequences of running a forkbomb (in most cases, hard rebooting).

@ariadne In fact I've yet to find a system where you're not stuck with hard-rebooting in case of the shell fork-bomb.
Softer ones where it just spawns processes in a loop but stays open being much easier to deal with.

@lanodan if you ctrl-c immediately and then kill all shells, it should recover :)))

@ariadne Why is the X11 server a security boundary on your setup

Anything that has X11 access should be assumed to have at least the same privs as the user running the X11 server (which is hopefully just the regular user that owns the session)

NaziXorg X11Libre has a whole lot of other shit to laugh at it for

@ity so this code will be fine if it encounters a process named `(){ :|:& }; :&`?

@ariadne the amateurs over at x11libre aren't going to know that

@ariadne I don't see how that's relevant to what I said

@ity at any rate, it is a security boundary because it mediates access to data between processes. they have also added their own extension to further mediate access to data between process. this extension is, like the X Security extension before it, comically bad.

also: please understand security fundamentals beyond that of simple UNIX user accounts

@ariadne See also

https://github.com/OpenRC/openrc/pull/790
and
my personal favorite: https://github.com/ggml-org/llama.cpp/pull/17646

@ariadne You're not like surprised by this I hope. 90% of Nazis are incompetent And Xlibre didn't get any of the actually dangerous ones

@Dio9sys im not installing wayland!!!!

@haematophage @Dio9sys
TLDR: X11 forks are going to run into problems,

Problem is, X11 as protocol has problems, which can't be (neatly) resolved without creating X12 which would need a compatibility layer for X11.
At this point developers decided to not carry the burden and started over.

Not to mention the Xorg code base and quirks. You can test developers on that. I would doubt devs not swearing like a sailor within minutes.

@gom @Dio9sys what are the problems with the protocol that cannot be resolved?

@haematophage @Dio9sys
Colour format in X11 is 32bit (rgb+alpha, each 8bit). HDR won't work without redefining the colour format. 40bit with 10bit for each channel or 10bit rgb, 2bit alpha (wtf?!, but this was floated for XLibre)

Isolating applications, it's part of Wayland, but not part of X11 and Xorg. Xlibre introduced a namespace extension, providing optional security if this extension is used.
"Optional security" most of the time is equal to "no security, but warm feelings".. Just don't!

@gom @Dio9sys

A) i am not a professional photographer and i imagine that very few linux users are, so compatibility with a colour format that is barely even implemented in industry-grade technology is at the bottom of my list of "things that need to be solved at any cost"

B) this is not a problem with the protocol, this is a way you would like things to operate so that you can have warm feelings. Wayland takes a steak knife and gives me a butter knife instead, because if somebody could walk in and stab me with a steak knife. When I point out that I like steak and lock my door, they tell me that if i really need to cut steak I should tell the butcher to add support for butter knives.

@haematophage @Dio9sys
A) "It's not part of my use case and I doubt, that this interests a lot of people" is not how one should design a protocol.
On the other hand, proper screen and HDR videos is just nice and works with wayland without having "professional" needs.

B) What?

@gom

HDR is actually becoming increasingly used in gaming!

@Dio9sys @ariadne I mean at this point, we might as well put a gay trans furry directly on the X11 board of directors.

Oh wait @Lyude

@ariadne I think the bigger issue is the fact that, if I understand correctly, none of these labels are translatable

@TheEvilSkeleton i mean, accessibility seems important in a vista UAC-like feature, yes

@ariadne To be fair, that's just a PR and hasn't been merged... But since the author is listed as a previous contributor, that's not inspiring confidence? :S

Also, to their credit, they added whitelist-based string sanitisation! For printing into their char text[1024]—C code like it's 1990 🤟

Looks also like two of the maintainers have said "no" to the PR.

@ariadne btw isn't this the guy also "maintaining" WinRing0? THAT actually spooks the living heck out of me.

@voidanix WinRingwhatnow?

@ariadne @voidanix it’s a hack/driver for allowing unprivileged programs to raccess hardware devices, like for example LED RGB raccontrol programs

@charlotte @voidanix i'm scared

@ariadne @voidanix you should be

@ariadne oh no.

@ariadne my friend has a tattoo of this which i think is kinda cool