Keep in mind that X11 is a protocol, so the client might not be running as your user on your local machine, it could be a dedicated machine that's only running the client.

In this case, again it's not important because in our timeline X11 is old, you might proxy the clipboard feature, with a trusted and untrusted connection, the untrusted connection needs to be careful because it's exposed to arbitrary nastiness from potentially hostile untrusted clipboard-using software - the trusted one talks to everybody else. So an example is you might decide to sanitize text, strip out invisible control characters, and exclude "rich" text formats that might conceal attacks. Or you might allow some images but only after previewing them and constraining their properties, no 18GB GIFs please, yes it's technically possible to encode a huge truecolor image as a single GIF no I don't want that in my clipboard.

Is this something we should try to implement? Probably not, but in a world where people try to kite surf across the English channel it's nowhere close to the craziest hobby.

> Keep in mind that X11 is a protocol, so the client might not be running as your user on your local machine, it could be a dedicated machine that's only running the client.

For an X server to be network exposed, you first have to either SSH forward it or remove the nowadays-default "-nolisten TCP", and then either get the xauth secret or have the user do 'xhost +'.

At that point I'm gonna say the attacker earned their keylogger access.

And you or your distro might consider patching out the TCP variant.

Saying 'xhost +menger' and being able to run graphical apps from my university's Sun server -- OPEN LOOK apps at that -- on my local Linux machine was peak 1990s computing.

> the client might not be running as your user on your local machine

True, this is probably the only real use case. X11 forwarding in OpenSSH (ssh -X) does in fact use this extension by default.

Indeed https://github.com/Aishou/wayland-keylogger

I hope so. WG14 seems to like it (but not everybody), but it is not existing practice. So it will mostly depend on me creating a prototype and doing a lot convincing.

Wayland's security isolation is a necessary, but not sufficient, measure to prevent this kind of attack.

It is not an attack if there is no privilege boundary in the first place. One could argue that should be, but then X's security would have also worked which is the point of the article. The problem was that Wayland propaganda pretended actual users would benefit from improved security immediately because there was a gaping security hole. The point of the linked repo is that this is nonsense and typical Linux users do not benefit at all.

you're right, but sec is about threat profiles. there's a point where selinux, firejail, etc. aren't enough either. even a virtual machine may as well be wet rice paper to an alphabet soup agency. you should very much assume that even airgapping isn't enough, unless it's inside of a faraday cage.

xorg security measures are a different matter from stopping any random program from writing to your filesystem. broaden the conversation to be about all security across all attack surfaces under all conditions and nothing is safe. i'm still not gonna run everything as root.

There is no threat profile where the attacker can run an XNextEvent() loop and log your password, but somehow cannot alter the .desktop file for your browser, or your login profile and LD_PRELOAD something.

Edit: other than sandboxing, but I'm targeting this at the Great Wayland Security Theater.

This is why need need app sandboxing as the mobile platforms already do. Snaps and Flatpak both suuport this, but their critics resist without providing an alternative.

I'd rather hold software creators accountable for releasing malware. 100% protection against bad software is not free.

Are the mobile platforms using Snap and Flatpak?

..... guix shell --container

it's great for this.