X权限绕过

发布于 2024-08-02 21:12:03 字数 826 浏览 8 评论 0原文

我正在尝试编写一个作为守护进程运行并监视的应用程序 运行 X 个会话。现在我正在努力寻找文档 关于 X 安全模型。具体来说,我正在尝试 从我的守护进程连接到正在运行的 X 显示。呼唤 XOpenDisplay(dispName) 不起作用,我猜是因为我的进程 没有权限连接到此显示器。过了一会儿 研究了一下,看来我需要对 xauth 做一些事情。

在我的测试环境中,X 服务器是这样启动的:

/usr/bin/X -br -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-QBEVDj

该文件包含一个条目,如下所示:

#ffff##:  MIT-MAGIC-COOKIE-1  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

通过使用相同的十六进制密钥向 ~/.Xauthority 添加一个条目,我可以 连接到 X 服务器。然而,这很困难,因为我需要 以编程方式查找 X 服务器正在使用的身份验证文件( 我猜它的位置会随着发行版的不同而改变,并且 可能是从一次启动到下一次启动),然后查询它,然后写入一个新的 授权文件。如果该进程作为守护进程运行,它可能没有 主目录,那么我如何知道将新条目写入何处?

理想情况下,我正在寻找一种绕过需要的方法 ~/.Xauthority 中的 xauth cookie,甚至可以知道 cookie 的位置 全部。我意识到这不太可能 - 安全模型有什么好处 如果很容易绕过?但我希望这个名单上的某个人可能有 一些好主意。有没有办法指定我的流程是 具有特权,因此应该自动获得对任何 在本地机器上显示?

I'm trying to write an application that runs as a daemon and monitors
running X sessions. Right now I'm struggling to find documentation
regarding the X security model. Specifically, I'm attempting to
connect to running X displays from my daemon process. Calling
XOpenDisplay(dispName) doesn't work, I guess because my process
doesn't have permission to connect to this display. After a bit of
research, it looks like I need to do something with xauth.

In my test environment, the X server is started like this:

/usr/bin/X -br -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-QBEVDj

That file contains a single entry, that looks like this:

#ffff##:  MIT-MAGIC-COOKIE-1  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

by adding an entry to ~/.Xauthority with the same hex key, I can
connect to the X server. However, this is difficult because I need to
programmatically find the auth file the X server is using (the
location of which I guess will change from distro to distro, and
probably from one boot to the next), then query it, then write a new
auth file. If the process is running as a daemon, it might not have a
home directory, so how do I know where to write the new entries to?

Ideally, what I'm looking for is a way to bypass the need to have the
xauth cookie in ~/.Xauthority, or even to know what the cookie is at
all. I realise that this is unlikely - what good is a security model
if it's easily bypassed? but I'm hoping someone on this list may have
a few good ideas. Is there a way to specify that my process is
privileged and thus should automatically be given access to any
display on the local machine?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

柳絮泡泡 2024-08-09 21:12:03

如果指定 XAUTHORITY 环境变量(该变量指定 .Xauthority 文件的位置),则不必使用主目录。阅读 xauth 手册页。

但是,一般来说,由于您提到的原因,很难找到身份验证文件;此外,这种“钓鱼身份验证令牌”方法仅适用于本地显示。

关于让root(或其他用户)随意连接到X服务器,您可能必须修补源代码才能做到这一点,并且您必须使用诸如getpeereid 获取连接用户的 uid/gid (这仅适用于 Unix 域套接字,我认为无论如何,这将是用于本地连接的类型)。

You don't have to use a home directory if you specify an XAUTHORITY environment variable, which specifies the location of the .Xauthority file. Read the xauth man page.

But, in general, it's hard to locate the auth file, for the reasons you mentioned; also, this "fishing for auth tokens" approach would only work for local displays.

With regard to letting root (or some other user) connect to an X server willy-nilly, you'd probably have to patch the source code to do this, and you'd have to use something like getpeereid to obtain the connecting user's uid/gid (this only works on Unix-domain sockets, which I presume would be the type used for local connections, anyway).

盗心人 2024-08-09 21:12:03

Xauth 并不是 X 的唯一安全机制,

还有另一种(不太安全)仅执行基于 IP 的身份验证
(请参阅xhost)。

因此,如果您将 X 服务器切换到这种不太安全的模式,它将信任任何传入的连接
来自定义的 IP 集。

这样您就根本不需要与 Xauthority 打交道。

Xauth is not the only security mechanism for X

There is also another one (less secure) that just performs IP based authentication
(See xhost).

So if you switch your X server to this less secure mode it will trust any connections coming
from the defined set of IPs.

This way you do not need to deal with Xauthority at all.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文