Security Ideas

One of the major security problems with X is that, by default, the server has no protections between clients. Lots of people have added security mechanisms over the years, and the server is instrumented with access control checks which all turn into no-ops in the default environment.

The problem has never been about the low-level details of where access control checks should be placed, but in how to apply them.

The X desktop environment uses the same protocol for both regular clients and management operations. “Regular clients” generally operate on resources they have created along with a few global server resources. Rarely, they will interact with resources owned by other clients. On the other hand, clients performing management operations generally need broad access to many other client resources.

My idea is to use the existing access control hooks to control access between client resources for regular applications, while letting management clients operate as things work today. To identify management clients, we could make them setgid to a special group and have the X server use that information to select the mode.