Bug 3293

Summary: gnome-terminal allows send events by default
Product: [Retired] Red Hat Linux Reporter: daryll
Component: gnome-coreAssignee: Owen Taylor <otaylor>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-08-03 19:54:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description daryll 1999-06-05 21:58:25 UTC 
Any application that can connect to the X display can send
keyboard events to a gnome-terminal. This is a security
issue because it allows propigation of a violated machine.
If I have windows logged into another machine (even through
a secure link such as ssh) or if I have a privaledged shell
those may be compromised by someone getting an X connection
on my machine and sending commands to the remote system or
privaledged shell to create a hole.

gnome-terminal should make the capability to recieve allow
send events as an preferences item, as in xterm.

					- |Daryll
Comment 1 Owen Taylor 1999-06-09 22:58:59 UTC 
This can't really be fixed by default because gnome-terminal
also supports (for instance) drag-and-drop which could
be spoofed by any other client on the display. It is a
hoewever, a decent candidate for a future option; though
it might give a false sense of security.

Basically, I would consider any display allows untrusted
clients access to be unsafe.

Consider as a few examples:

 - Sending fake drag and drop to MC; sending mouse clicks to MC
 - Emacs - I don't believe it guards against send events:
   M-x shell...
 - Any GTK+ program with a file selector that turns on
   the file operation buttons in the GTK+ file selector
   can be used to delete files.
 - Do you use a mail client? Can it do attachments?
   How about attaching /etc/passwd?
 - Grabbing portions of your screen as in a screen capture

[ There is a document in the X source distribution which
details some security considerations between clients on
a display, for those interested in this topic ]

Note that XFree86 also enables the XTest extension by default
and using that a client can, if I'm not mistaken, circumvent
the whole send_event field.
Comment 2 Alan Cox 1999-06-12 21:29:59 UTC 
The X consortium take on this for 6.4 was very much "Use the Xsecurity
extension" not fix the apps. Xsecurity prevents partitioned
applications even reading the properties off a terminal let alone
typing in it

A nice gnome hook for xsecurity might be the right approach

Alan
Comment 3 Elliot Lee 1999-08-03 19:54:59 UTC 
As previously stated, the right solution is to secure the display.