Wonder how these play out against the https://github.com/X11Libre/xserver base, would be interesting to hear from that end as to how these things are handled. My understanding is that they address any sec issues that arise on x.org but it would be fascinating if the issues are already mitigated since XLibre updated their xserver port with 1000s of issues that were never addressed on the x.org side of things.
On their github you can see all three changes identical to x.org's happened on October 28th (same day as the advisory). So, they were not already fixed, but the fixes were applied immediately.
That's the fork where the primary cause was to be "anti-woke", right? Honestly it seemed like it was just because that one guy was a little unbalanced, and he happened to be channeling that energy into an X server fork.
An X server code base is such a niche topic, do you honestly think Xorg or any other project is capable of being a "woke" X server? It sounds more like this one guy has some issues and is trying to blame something he is already bitter about.
Good that people are finding and fixing these, but basically allowing any untrusted client to talk to your X server is asking for trouble just by design. (Bonus points if you have any Tcl/Tk apps running, where you can simply transmit commands for the program to run via the X server.)
There are plenty of setups where the X server runs at higher privileges/on a different host than the (partially trusted) application that might exploit the X server. This is a classic elevation of privileges vulnerability in those setups.
X11's practical absence of any security mechanisms for user sessions means you should probably not run any kind of low-trust UI program anyway, as there is no prevention of keystroke injection or screen recording, but that's a design flaw that will never be solved. That doesn't mean that EoP style attacks like these should be ignored or underestimated, though.
Why do people keep persisting this myth? X11 has authentication. You can either rely on filesystem permissions, or a shared secret. The same way thousands of other network servers work.
Any program you run on a computer (especially a Linux computer, which lacks modern OS security measures and has constant privesc kernel holes) exposes you to security flaws. There has yet to be any computer system designed that a hacker can't break out of. If you intentionally download and execute a program, you are rolling the dice, regardless of what the software is.
What's insane about all these discussions is that NOBODY IS HACKING X SERVERS. There's a thousand other kinds of software on Linux that there is real malware for. But nobody is trying to hijack your X11 session. This imagined threat is a red herring designed to bolster the argument for Wayland's horrible designs.
> What's insane about all these discussions is that NOBODY IS HACKING X SERVERS
I knew someone who worked for a small loan type company. Passwords were stored in plain text, but even worse, the login form didn't actually check the password at all, it created valid sessions as long as you provided a valid user name.
When he informed his boss that was very bad, his boss simply said that nobody has abused it, and nobody would, don't waste time changing it.
The point, of course, is why would you wait until people are getting hacked to address a known vulnerability?
Sure, there are others, and they should be closed too, and they are when they are found. It makes no sense whatsoever to leave one open just because.
I think the point being made isn't that X.org shouldn't fix their vulnerabilities. It's that there's always a huge amount of discussion about vulnerabilities and security models when one is found in the display server or the window manager when actual exploitation doesn't seem to be particularly high.
Many distros, if not most distros, disable port 6000+ listening for X.org by default. So, immediately, it's not a remote exploit. OK, so it's scope is already limited to local escalation attacks. Looking at the CVE, the only reason it's high is because (a) X.org is everywhere, (b) you don't need to interact with [another] user to exploit it, and (c) it's not particularly complex to exploit.
That is bad, but it's also behind most of the other security, rather than bypassing essentially all of it like Heartbleed or Shellshock.
So, either I have to have X forwarding turned back on, or have people with SSH access to a server that is also running X. Both of those seem like uncommon situations. You probably shouldn't be running X or permitting X to be started unless you need X forwarding, and X forwarding is a pretty odd requirement given modern application design being so web-browser-focused.
So it might be CVE High 7+ if you're on a system where it's possible to exploit it. But it feels like you shouldn't often be on a system configured in a way where it could be exploited in spite of the prevalence of X.
Essentially: This isn't a rehash of the libXfont problem.
But there is no vulnerability at all. For a normally configured X server with TCP listening, the server should be configured to use MIT magic cookies for authentication. This randomly-generated string is needed to authenticate and establish a connection to the X server. You can use the xauth command to manually configure it as needed.
It's the equivalent of HTTP Digest authentication, and nobody's demanding that we rewrite HTTP because Digest authentication. It's in plaintext, so you shouldn't use it; but if a hacker doesn't know the secret, they can't get in.
Digest as I understand it is a weak authentication protocol, it doesn't mean it is implemented with known vulnerabilities.
I distinguish vulnerability from weak. The weakness is not necessarily intended, but the question is, does it do what it is supposed to do. Or is there a known bug: non intended possible exploit, that would make it a vulnerability.
If it isn't known then it doesn't exist. But we can assume all software do have bugs.
Digest is part of the http protocol, if the protocol is found to have vulnerability I can imagine it would be dropped and be rewritten. The digest part, not the entire http protocol.
A hacker may not have the password, but manages to brute forces it. Is that a digest vulnerability or does it fall onto the application to integrate some preventing brute force authentication measures?
My take is digest doesn't pretend to prevent brute force attacks.
Some may not agree with that logic, but since about everything is made of a combination of vectors, and that each typically has some weakness, all you get is a balance between usability, cost, and security.
We can make the case for your typical cryptographic signature, or encryption algorithm. ECDSA standing as well respected, solid cipher. Is it vulnerable? It is vulnerable to the potential power of machines we may build in times to come. Quantum or leaps ahead. Will it be vulnerable then? Yes but it isn't a vulnerability. We would then call ECDSA obsolete.
Digest is obsolete yes.
The interesting part about cryptographic methods is that we may know of some being obsolete ahead of time. So long as we can determine they can be brute forced. For now it isn't obsolete despite the existence of quantum resistant alternatives. Hacker news uses ECDSA for the exchange of keys between server and client, then encrypts all connections using another algorithm safe against quantum computers. Thanks. But beyond that, probably not.
Is X obsolete? Vulnerable? Seems like X developers themselves admit it is a vulnerability. They didn't know of the possible exploit. As to the severity? It's often subjective from my experience.
> is why would you wait until people are getting hacked to address a known vulnerability?
Do you have some other way of _reliably_ identifying vulnerabilities?
> It makes no sense whatsoever to leave one open just because.
It makes sense to have security options. If I want to leave it fully unlocked, that's my business, and I possibly have good environmental reasons to do this.
What you should really care about are security _defaults_. And in X11's case I'm not aware of any distribution that ships the server with TCP connections to the sever enabled. You have to go well out of your way to even begin using this functionality.
I don't dispute your anecdote but I think the point was: x11 has been around for decades, and these things just don't happen. And the reason is that there are much simpler and more effective ways to pwn a box than trying to screenshot an x session or trying to hook for key presses. So the vulnerability surface just isn't large enough.
It does make sense if the vuln doesn’t fit in your threat model.
There are always an uncountable number of vulnerabilities and you can never fix all that are found.
No idea of course if the threat model that said boss had in mind made sense. But I always recommend to come up with a reasonable threat model first and then think you can harden against it.
I think the issue isn't that you downloaded random hostile software, but that other software you do use has some sort of vulnerability (recent Unity vulnerability, browser sandbox escape, etc) and an issue like this would allow for privilege escalation.
Wayland doesn't need X11's vulnerability as its only argument, Wayland is a much simpler design that is easier to iterate on because it doesn't assume the client and server are on different machines. The fact that it moves privileged APIs like screen capture behind portals is a bonus.
So simple and easy to iterate on that Wayland compositors are still not as full-featured as X11 desktop environments after more then a decade, and can't be due to protocols no one is able to agree to implement.
X11 has options for tear free video playback; it's not in the base protocol, and not all drivers offer it, etc, but it's acheivable. Fundamentally, you need to send the next frame to the server and ask it to switch frames during vblank (+/- notification), on today's systems, this is more of a coordination problem than a technical one; there's plenty of video ram to go around to double/tripple buffer.
HDR would fit in the X11 model of many bit depths, however the specifics don't really; afaik, X11 has a maximum bitdepth of 32 for pixel values, which means either limiting to 2-bits of alpha channel or using palettes (I think I saw that indexed colors can be defined with 16-bits per channel). An extension might be possible (with everything that brings), but I think the ship has sailed.
I agree that Wayland's security model prevents some undesirable interactions that X11 allows, but it also prevents or makes difficult some desirable interactions, so it's a mixed bag.
> I agree that Wayland's security model prevents some undesirable interactions that X11 allows, but it also prevents or makes difficult some desirable interactions, so it's a mixed bag.
That is so true, I wanted to have a typing sound from my pc everytime I typed on wayland and I looked at LITERALLY every single solution and none of them worked... simply because of the security model of wayland (so things like Mechvibes and alternatives don't work generally speaking)
On one hand, its a good thing to prevent things like password injection etc. but on the other, really?
I got frustrated and I created a lot of github issues on every such project if they said that they are working on wayland and I didn't care if it meant running it as sudo, I just asked them kindly if there was a way or not/ what's the issue here
There are still times where I get a lot of notifications simply because someone commented on those issues
So naturally a lot of people are/were frustrated about it. Not sure if its a good thing or not, but I 100% agree about this comment of yours
Another big issue imo to me feels like ssh, X servers ssh forwarding/vnc just works, Yet I haven't really found ways to do things like VNC on wayland on a server or something as easy (or even possible?) on wayland as compared to x servers, Please let me know if there are apps which do this though, I know about weston but I haven't found ways to work with it/make it work (maybe my skill issue)
Are there any solutions to these things though? Fundamentally that mechvibes things requires an app to view the key from every other application and make a sound, Nothing stops it from being a key-logger as well if it had that capability and Wayland was created with a better security model but as you say and I experienced, that security model comes up with its own compromises and I am not sure if that's a good thing or bad thing....
With the caveat that I haven't used Wayland ... [1]
Waypipe is supposed to help replace things like remote X. I'd be surprised if there's no vnc server that offers a wayland desktop... that would be a big missed opportunity.
For your noisemaker, I think you might have a better time integrating at another level. Either intercept the inputs before the display server gets them, or integrate into the display server itself. X was more flexible, but as long as it's just typing -> noise, you don't need it to have the same architecture as it did in X.
[1] Wayland has no compelling features for me, and X remains viable for me as well. At some point, hardware support might be compelling, or IMHO, something will come to replace Wayland and X that is compelling.
I remember watching tear free HD video in 2011 on a netbook I dug out of the e-waste dumpster in the UC Berkeley CS building basement. Chrome/Openbox/X11. That laptop was literally trash.
Wayland is the way to go. The same applies to Flatpak, Pipewire, systemD, etc. I'd say that this is obvious, and doesn't even need to be argued, to 99%+ of those who actually use the Linux desktop. The only opposition to this is a small group of decelerationists with a major, irrational aversion to change.
Having only two major options, X and Wayland, doesn't mean either one is correct. It is generally true that X needs to be replaced, but Wayland is not necessarily the replacement we need. It would be good to have more competition.
On a separate note, I think it's probably true that Wayland has significant drawbacks that preclude it from being an obvious replacement.
Everything you listed is bloated, slow, incompatible, unfinished or unstable. My system worked fine 20 years ago on far less capable hardware. Now even with high end workstations systems lag, crash or have strange behavior
That's either a lie or you are talking out of your..
Wayland literally runs on ultra-low-end infotainment systems, Pipewire is surprisingly stable and featureful compared to its age (also, what's your alternative, pulseaudio?) and systemd is possibly the best thing that happened to linux userspace in the last decade, letting packages work across different distributions without unnecessary extra work.
We are running systemd with all bells and whistles on Raspberry Pi based 1 GB RAM systems. systemd-networkd, iwd, timers etc. The base usage barely touches 350 MiBs. Our actual application is containerized with systemd thanks to broad set of options increasing system security quite a bit. It works great.
You know what's bloated? Replacing all those functions with custom bash scripts or worse system services.
My thoughts on systemd are complicated but I wasn't around at the time of systemd
Personally it is my opinion that Linux really split in two due to systemd partially because of the idea of the sheer size of systemd code
I am not saying that we always need such simplicity, but that I am merely giving an opinion that there are people who actually want to understand what they are running as their root and this sense of "control" really is so hard to get from things like system-d
System-d is also thus a little "bloated" compared to other inits which really show in systems like containers etc. where most developers if possible try to have alpine containers (I have seen this especially so much in golang/rust communities partially because golang is mostly static available and rust can be done the same too or compiled with musl pretty easily)
As such, personally, I can understand both systemd and other init systems, I feel like there are some guides which prefer using hummingbird etc. (https://github.com/comfies/tldrlfs) and I feel like for actually understanding "linux" from linux from scratch, other inits can be good.
Another minor nitpick I have of systemd is that its glibc based, Glibc has some of the weirdest complexities I have ever seen and a lot of package management in my opinion has been built around it and personally it feels like the decisions were made in a different era where different types of resources were constrained and updates weren't as widespread but now it has been a mess which is why we need so many linux distros in the first place with their opinions and package management
I genuinely prefer musl for this, So I prefer things like alpine/void in the process as well yet to me, freedom matters a lot. There should be a freedom of choice in such matters and systemd severely restricts it for many.
I feel like systemd is way too ambitious and which is why it requires glibc to be more feature complete in the first place, not sure if its a good or bad thing but I am merely stating what I feel like.
As I said, I have nothing against systemd myself but I am just giving the nuance I felt like, as I was trying to build my own linux distro trying to make it hyper compact and I came into this rabbit-hole, My philosophy almost was out of curiosity regarding what are the smallest systems which are still functionable (Hint: its tiny core linux which is an absolute pleasure although it isn't "secure" partially because they run everything as root If I remember correctly but )
>We are running systemd with all bells and whistles on Raspberry Pi based 1 GB RAM systems. systemd-networkd, iwd, timers etc. The base usage barely touches 350 MiBs
Okay but what are your thoughts on alpine, Alpine's motto or the first thing you see in bold letters on their website (https://alpinelinux.org/) is
Small. Simple. Secure.
Alpine Linux is a security-oriented, lightweight Linux distribution based on musl libc and busybox.
Combined with either gcompat to run glibc or personally I genuinely prefer golang/rust applications (mostly golang) like running gitea on alpine etc. and I found it to be an absolute pleasure server side to work with mostly, except sometimes software download especially python when I was running alpine on android using userLand was a somewhat-issue but maybe I had skill issue or something but I genuinely learnt a lot trying to install python on it.
Bun/Deno just works out of the box, in fact deno is even available in the apk format of alpine out of the box
I truly love alpine/appreciate its message. I feel like systems should be small partially because that means that such software could run even on much older systems just out of the box
Alpine features raspberry pi images and there is dietpi which has some decent low iso file sizes, Check them out as well if possible
Personally I love alpine but I also love the idea of using debian or some immutable distro which uses systemd and then running alpine in container, it seems to be the best of both worlds really.
Of course X has authentication, but once you're in, you're in. There are no elevated windows, screen recording permissions, or any sort of keylogger prevention. That was normal a few decades ago, but the world has moved on since.
There's no real reason it can't do any of that, it just doesn't and there are no real plans to add these features.
I'm not convinced by the "if you run a program you should assume you've already been hit by a CIA 0day". Obviously nobody is dialing into your X11 server from the internet, but this is a relatively easy nobody:nobody -> root/wm-session/whatever elevation of privilege.
If malware is in your X server, doesn't that mean it's running under your user account? And if that's the case, then couldn't it just steal your data right off the filesystem without needing to get it from X?
> Why do people keep persisting this myth? X11 has authentication. You can either rely on filesystem permissions, or a shared secret. The same way thousands of other network servers work.
Any program you incidentally run within a typical graphical user session will have access to the X socket and a cookie, they will be able to connect. And after they connect... They basically just can do anything they want with zero real restrictions, including most likely some fairly trivial paths to root escalation. Even if they're running inside of a sandbox or container, with only an X11 socket poking through.
This problem was realized a very long time ago with the security extension but most of it never really caught on.
> Any program you run on a computer (especially a Linux computer, which lacks modern OS security measures and has constant privesc kernel holes) exposes you to security flaws. There has yet to be any computer system designed that a hacker can't break out of. If you intentionally download and execute a program, you are rolling the dice, regardless of what the software is.
If you believe this is true, then what exactly is the point of any security measure? Why bother using isolation and sandboxing, or passwords? Why does Windows bother patching flaws if they know there are certainly more of them and they will never fix them?
Do you by chance also smoke because you're going to die anyways?
> What's insane about all these discussions is that NOBODY IS HACKING X SERVERS. There's a thousand other kinds of software on Linux that there is real malware for. But nobody is trying to hijack your X11 session. This imagined threat is a red herring designed to bolster the argument for Wayland's horrible designs.
Lol. That's primarily because the Linux desktop is utterly irrelevant, not because nobody would care to do it. Is it really surprising that attacks against desktop computers would focus almost entirely on the OS that has 90+% of the market share? We don't get free software OS desktop malware for the same reason we don't get free software OS software ports.
Watching and waiting with security was a totally acceptable position in the 90s, but we get the general gist these days. We need security-by-design.
On the server side of Linux where Linux is relevant, the situation is much more impressive; auditing using eBPF, sandboxing with gVisor, microVMs with Firecracker and cloud-hypervisor, isolation using namespaces and seccomp-bpf and more.
On the desktop side, people are still arguing over whether or not it's a problem that any X client can by default silently keylog the entire system trivially. Okay, but a lot of us actually see that as a problem, and we're not interested much in "hearing you out". Most of us recognize that the Wayland protocol has warts (and too many damn protocols), but X11 has many more warts. I didn't care what was the successor to X11 specifically, I just cared that we eventually made some progress. Most people have nothing to offer here and just suggest we should've stuck with X11. Okay dude, but nobody wants to. The X.org devs would like to move on. The desktop environments really would like to move on. There was basically one serious guy that actually wanted to work on improving X11 and he turned out to be kind of crazy and couldn't stop breaking shit anyways.
Yeah, with Qubes that's exactly what they do. I forget what the software is called, but they use an X11 proxy that tries to enforce policy.
That said though, that does require you to proactively run every X application with this sandboxing. For Qubes which forces everything into VMs this is doable, but for most other systems there isn't an obvious way to handle this sort of thing.
My only major complaint about Wayland that can't just be fixed relatively easily is Mutter refusing to support SSD. (Well, the actual technical problem could be fixed relatively easily, but the social one not so much.)
X11 had the distinction between trusted and untrusted X11 clients basically forever. But nobody bothered to even spend the minimal amount of work to make this usable in practice^1.
This had two reasons: 1.) It is irrelevant when you run the programs as the same user so nobody bothered (and no: Wayland does not help: https://github.com/Aishou/wayland-keylogger) 2.) It is more fun to simply pretend it is unfixable broken and write something new (something any good engineering manager should have stopped immediately).
¹. I used to use this and also fixed some bugs in some programs. The main problem when I last checked a decade ag was that some important extensions such as composite would need to be exposed to untrusted clients.
That Wayland keylogger is not the same thing. X11 has several mechanisms (XTest, XRecord, XI raw inputs) to receive a global raw key input stream, accessible to anyone who connects to the X server, without even making a visible window surface. It even bypasses grabs, meaning that your lock screen password entry can be snooped on.
The Wayland keylogger acts like an application; all Wayland compositors will only send key events to the focused surface, so the user has to focus an active surface in order to get key events. Even in the scenario where you've LD_PRELOAD-hooked all applications, you still will never get the lock screen password, as the compositor never sends it out across the wire.
LD_PRELOAD is problematic from a security perspective, but it's not Wayland-specific: the same issue is true for CLI applications and X11 applications, and any attacker with the ability to write files could also just replace your binaries with malicious ones (stuff them somewhere into ~/.hidden, and then add a $PATH entry to the start).
I think you did not understand my point. X11 has several such mechanisms, yes, but it also has the concept of untrusted clients that disallow the use of these mechanisms and could be used to provide safety similar to Wayland. The point is that this mechanism of untrusted X clients was neglected and I gave an explanation way.
Solaris had Trusted Extensions for X11 which shipped with Trusted Solaris 8.
In 2000.
Solaris 10 had it built into the base OS and integrated into both the CDE and GNOME desktops they shipped. With OpenSolaris it was released as open source under the non-GNU CDDL license.
And going to rabbit hole there are even proof of concept security implementation named Xnamespace for Xorg fork (needs polishing and much more patches but looks doable. see wip documentation: https://raw.githubusercontent.com/X11Libre/xserver/d2b60a3d6... )
The way X11 developers ended up fixing this is by creating Wayland. This way privileged operations (like keylogging, screen capture, etc) require the cooperation and authentication through the display server.
That sort of solution is cancer if you want to do anything the display server authors didn't think of. I've got a script that I invoke with a global hotkey that determines the window title of the currently focused window and fuzzy matches it against pipewire audio stream names so I can mute the focused window with a single keypress. If I want that to work in Wayland I'm pretty much up shit creek because somebody with their head in the clouds thinks that my needs are super dangerous or something.
Wayland devs for the longest time thought implementing what was needed for accessibility (mainly, global keyboard hooks for Orca to work) was a security problem. Nevermind the fact that nobody hacks X servers, or your wayland compositor, because if I wanted to hook your keyboard with a keylogger, I'd hook it through evdev. And then you wouldn't even know let alone be able to do much about it if I did it properly.
Wayland doesn't say "this is impossible", it says "this is out of scope of the core display protocol, implement this somewhere else".
Which, well, we do. Practically all the X usecases are covered on Wayland systems now. Screen sharing, screen clipping, global hotkeys, file pickers, getting the window title like you said... I can do all of that on KDE, right now, under Wayland.
If you change to another DE that has less capabilities than KDE, of course you can't do it. Emacs and LibreOffice Writer will have vastly different capabilities and people can choose what they want based on the capabilities they desire.
And that is exactly the problem. Now things like accessibility (or, really, any feature that the maintainers of the core protocol didn't think were "necessary" because they like minimalism) have to be implemented by each and every compositor. If the compositor doesn't implement it, your screwed unless either you convince them to add it or you add it yourself. Talk about causing huge amounts of fragmentation for absolutely no reason.
The proper thing Wayland should've done is waited until Wayland had reached feature parity with X, then released it to the world and started acting like it's the future.
If I have a kiosk terminal, why would I want the overhead of, say, screensharing? Also, isn't this the point of libraries, so that you only have to implement stuff once, and you can reuse it in different projects? Like you can build on top of wlroots just fine.
> The proper thing Wayland should've done is waited until Wayland had reached feature parity with X
How on Earth would you expect a fundamental protocol to be developed behind closed doors?! Wtf even.
> If I have a kiosk terminal, why would I want the overhead of, say, screensharing? Also, isn't this the point of libraries, so that you only have to implement stuff once, and you can reuse it in different projects? Like you can build on top of wlroots just fine.
Yeah but again this fragments the ecosystem massively. If people really wanted flexibility they could've just made it a configure option or something equivalent?
> How on Earth would you expect a fundamental protocol to be developed behind closed doors?! Wtf even.
Your making a pretty big assumption here, aren't you? I never said it had to be developed behind closed doors. It's the "lets just obsolete X11 even though Wayland can't even replicate a quarter of it's functionality right now now now because of security security security" that irritates me. If they had worked on Wayland and obsoleted it once they had reached feature parity, that would be releasing it to the world. Then they would've had far less friction and the transition would've been a lot smoother. Would it have delayed Wayland by maybe a decade? Sure, but I see little issue with that. IMO that probably would've made Wayland even better.
Wayland was specifically built to support things that aren't desktops, so feature parity with X was never a design goal of Wayland. The idea was that Wayland would be a super-flexible "you give me a window and events, I give you rendered bitmaps" kind of protocol, and then desktop functionality would be layered on top for people who wanted a desktop. Not everything needs to be a desktop (e.g. car infotainment displays, KDE Plasma widgets, etc), and some protocols would be super limited if they had to fit in a desktop mold (e.g. VR displays[0] with apps in non-planar windows).
The main mistake FD.o made is that they didn't get consensus on a "Desktop Profile" extension, so all the DEs wound up implementing their own thing. This is still fixable, just very annoying until we have agreement on this shit. I think that's what you meant by "feature parity with X".
[0] Currently, every desktop VR setup has to have two layers of compositors. VR applications have to communicate with a special VR compositor that then draws normal desktop windows with the contents of what should be hitting each eye of the VR display, all so it can pretend to be two normal displays.
I could say the exact same thing about X, A lot of the problems people had with X historically was that developments goal was to "create mechanisms not policy" and people just wanted a desktop environment that worked.
An antidote on non desktop use of X: the other day I wanted to show a program on my phone, there are many good ways to do this, but I picked none of them. Instead I had just installed a terminal on the phone and noticed they had an X11 package, So A few minutes later I was the proud owner of an X server on a phone. And you know what... It was pretty great. My gaming system load and temps dashboard were displaying just fine.
Despite using X for many, many years, I had never just sat down and played with a bare X server, I had only dealt with it through the lens of a locked down, encumbered desktop system. It was like having a network attached monitor. From whatever system I was using as a desktop system I could just go "display this on that monitor", in this case a phone. Based on that experience I put a raspberry pi on my TV running a bare unprotected X server because having a network attached monitor rocks.
Yeah, pretty much. I would be less disagreeable about Wayland if they had solved this problem early (and yes, they should've thought about this early during Wayland because the most prominent target is desktop environments). But they didn't, and I don't even know if they'll come up with some unified solution that all DEs/WMs can agree on or whether they'll just keep allowing DEs/WMs to do their own thing. Either way, fragmentation is never a good idea on what, I think, many would consider critical functionality. At least, I consider the requirements to implement accessibility to be rather critical, which is the primary reason I still use Xorg.
That's the issue. Because wayland punts on so much functionality that used to be available with standard interfaces in X11, it fragments the ecosystem to such a degree that all these useful little utilities just don't really have a means to grow.
For some weird reason I can't access it, it just redirects me to this image about hacker news. Did he just configure his webserver to just universally display that image? Even if I manually enter the address into my address bar it does that so I assume that that's what he did...
Good. Disallowing software to position its own windows has been a major usability improvement over the X11 days of software making stupid positioning decisions and having to patch it out everywhere...
Yeah, assuming all users and all software should work the same idea is a great way to get people moving to a new platform.
Maybe, just maybe, some people know what they want, and if they want applications that can put themselves in specific corners, why shouldn't the desktop let the applications do that, if the user is OK with it?
Fixing X11's security would of broken window positioning as well. Since that is a security issue.
The deal here is that the only way to fix X11's security issues is by breaking all those types of workflows and forcing application rewrites to implement them in authenticated ways.
So if you are going have to go and break all that stuff, why not fix a crapload of other problems while you are at it?
Calling Wayland "X13" may have avoided a lot of misunderstandings, but it probably would of caused others.
Maybe it's both? There are applications with good reason that need to chose their location themselves, and users who want that type of behavior, so it's definitively not just a security issue.
That looks like the display manager (i.e. login screen) running on vt4, which is probably not where you are logged in. Does it switch to another user when you log in?
Note you have multiple virtual consoles which can have independent X servers.
No, that's actually my real and only Xorg, it's the child process of /usr/libexec/gdm-x-session and that process is owned by my real user id, and the Xorg process provides /tmp/.X11-unix/X1 that e.g. strace -e connect xlsclients shows is the socket it uses. Notice also that it uses a significant amount of memory and has consumed a meaningful amount of CPU time, much more than a dm would do.
Good point about display manager though, I suppose it's not using Xorg then as I do know there is a login screen waiting at vt1 but that's the only Xorg process. Maybe the gdm3 incorporates a Wayland implementation in Debian 13.
Some oldschool legends are still fixing bugs in xorg.
Alan Coopersmith in particular. He even fixed a bug I reported. :)
(I forgot in which app it was but the bug report should be somewhere still; it is not old, perhaps 2 years ago or 3 years ago. The xorg app in question behaved oddly when doing "--version". I only noticed
this because I wrote a ruby script that displays which version of programs are
installed, and that one kept on making problems, whereas the others worked
fine. After I reported it, Alan fixed this very quickly. I think it was some
missing flag in the C program or something like that; right now I can not
remember the name of the program ... my brain tries to say xrandr but I think
it was not xrandr but a less frequently used program somewhere in the FTP
listing ...)
It did, but it could receive messages thanks to MIT Magic Cookies, which you could send because of Tk’s excellent integration with X. I can’t remember now if it was the browser you could also effectively spy on via similar means. Long time ago. I have largely forgotten how my tool worked now but the code I wrote (modified wish shell) might still be out there.
Xorg is indeed a lot of painful complexity. This being said, the software is not Linux specific, and for modern Linux distributions, it is more and more a legacy technology.
Coverity is pretty good about finding these kinds of bugs. Is there a reason why a project as significant as Xorg isn't taking advantage of their gratis access for that tool?
I think the short story is that the people who develop Wayland are the people who used to develop Xorg.
And they’d rather spend their energy on giving you a compelling reason to switch, rather than using it to add to the reasons for staying on a project they now consider obsolete.
You may disagree with their assessment, but you can’t blame them for how they decide to prioritize.
> Probably not seeing how the code for at least the 3rd was written in 1994, some 30 years before Fil-C existed.
How is this possibly the most charitable reading of parents comment, and honestly, do you think that's what they meant? You can't read that in some other way, where maybe parent wasn't actually asking about time traveling but something else?
Yes it was bit uncharitable, but I couldn't resist based on the way he phrased it. It was just a joke.
"Preventing" the vulnerability would indeed require going back to 1994. Since it is a vulnerability that has existed in every display server released since then.
I meant it in the sense of continuing to run old C code like X.org in a safer way without unnecessary rewrites to memory safe languages. These vulnerabilities, like this one that's been in the wild as you say for 30 years uncaught, will continue to be found. Something like Fil-C is really useful in that context.
I also said "would it have" -- I don't really care about timeline. Obviously Fil-C is a recent development, that doesn't make the question I asked any less interesting.
This being the default question to literally any C vulnerability is already getting really old. Fil-C doesn't provably prevent anything. It is a hobby project by a dilettante.
Wonder how these play out against the https://github.com/X11Libre/xserver base, would be interesting to hear from that end as to how these things are handled. My understanding is that they address any sec issues that arise on x.org but it would be fascinating if the issues are already mitigated since XLibre updated their xserver port with 1000s of issues that were never addressed on the x.org side of things.
On their github you can see all three changes identical to x.org's happened on October 28th (same day as the advisory). So, they were not already fixed, but the fixes were applied immediately.
That project is a pipe dream. They don't have what it takes to continue X11 alive once X.Org pulls the plug.
I bet you are the life of the party. Seriously though, what makes you write that so matter of factly?
That's the fork where the primary cause was to be "anti-woke", right? Honestly it seemed like it was just because that one guy was a little unbalanced, and he happened to be channeling that energy into an X server fork.
This project has way more serious problem than security!
What problem does the project have, other than being a target of radical cancel culture?
An X server code base is such a niche topic, do you honestly think Xorg or any other project is capable of being a "woke" X server? It sounds more like this one guy has some issues and is trying to blame something he is already bitter about.
We’re seriously still using that phrase? You couldn’t even work in “woke” or a gender joke?
EDIT: I found it! Does your x server identify as Wayland?
Good that people are finding and fixing these, but basically allowing any untrusted client to talk to your X server is asking for trouble just by design. (Bonus points if you have any Tcl/Tk apps running, where you can simply transmit commands for the program to run via the X server.)
There are plenty of setups where the X server runs at higher privileges/on a different host than the (partially trusted) application that might exploit the X server. This is a classic elevation of privileges vulnerability in those setups.
X11's practical absence of any security mechanisms for user sessions means you should probably not run any kind of low-trust UI program anyway, as there is no prevention of keystroke injection or screen recording, but that's a design flaw that will never be solved. That doesn't mean that EoP style attacks like these should be ignored or underestimated, though.
Why do people keep persisting this myth? X11 has authentication. You can either rely on filesystem permissions, or a shared secret. The same way thousands of other network servers work.
Any program you run on a computer (especially a Linux computer, which lacks modern OS security measures and has constant privesc kernel holes) exposes you to security flaws. There has yet to be any computer system designed that a hacker can't break out of. If you intentionally download and execute a program, you are rolling the dice, regardless of what the software is.
What's insane about all these discussions is that NOBODY IS HACKING X SERVERS. There's a thousand other kinds of software on Linux that there is real malware for. But nobody is trying to hijack your X11 session. This imagined threat is a red herring designed to bolster the argument for Wayland's horrible designs.
> What's insane about all these discussions is that NOBODY IS HACKING X SERVERS
I knew someone who worked for a small loan type company. Passwords were stored in plain text, but even worse, the login form didn't actually check the password at all, it created valid sessions as long as you provided a valid user name.
When he informed his boss that was very bad, his boss simply said that nobody has abused it, and nobody would, don't waste time changing it.
The point, of course, is why would you wait until people are getting hacked to address a known vulnerability?
Sure, there are others, and they should be closed too, and they are when they are found. It makes no sense whatsoever to leave one open just because.
I think the point being made isn't that X.org shouldn't fix their vulnerabilities. It's that there's always a huge amount of discussion about vulnerabilities and security models when one is found in the display server or the window manager when actual exploitation doesn't seem to be particularly high.
Many distros, if not most distros, disable port 6000+ listening for X.org by default. So, immediately, it's not a remote exploit. OK, so it's scope is already limited to local escalation attacks. Looking at the CVE, the only reason it's high is because (a) X.org is everywhere, (b) you don't need to interact with [another] user to exploit it, and (c) it's not particularly complex to exploit.
That is bad, but it's also behind most of the other security, rather than bypassing essentially all of it like Heartbleed or Shellshock.
So, either I have to have X forwarding turned back on, or have people with SSH access to a server that is also running X. Both of those seem like uncommon situations. You probably shouldn't be running X or permitting X to be started unless you need X forwarding, and X forwarding is a pretty odd requirement given modern application design being so web-browser-focused.
So it might be CVE High 7+ if you're on a system where it's possible to exploit it. But it feels like you shouldn't often be on a system configured in a way where it could be exploited in spite of the prevalence of X.
Essentially: This isn't a rehash of the libXfont problem.
But there is no vulnerability at all. For a normally configured X server with TCP listening, the server should be configured to use MIT magic cookies for authentication. This randomly-generated string is needed to authenticate and establish a connection to the X server. You can use the xauth command to manually configure it as needed.
It's the equivalent of HTTP Digest authentication, and nobody's demanding that we rewrite HTTP because Digest authentication. It's in plaintext, so you shouldn't use it; but if a hacker doesn't know the secret, they can't get in.
Digest as I understand it is a weak authentication protocol, it doesn't mean it is implemented with known vulnerabilities.
I distinguish vulnerability from weak. The weakness is not necessarily intended, but the question is, does it do what it is supposed to do. Or is there a known bug: non intended possible exploit, that would make it a vulnerability.
If it isn't known then it doesn't exist. But we can assume all software do have bugs.
Digest is part of the http protocol, if the protocol is found to have vulnerability I can imagine it would be dropped and be rewritten. The digest part, not the entire http protocol.
A hacker may not have the password, but manages to brute forces it. Is that a digest vulnerability or does it fall onto the application to integrate some preventing brute force authentication measures?
My take is digest doesn't pretend to prevent brute force attacks.
Some may not agree with that logic, but since about everything is made of a combination of vectors, and that each typically has some weakness, all you get is a balance between usability, cost, and security.
We can make the case for your typical cryptographic signature, or encryption algorithm. ECDSA standing as well respected, solid cipher. Is it vulnerable? It is vulnerable to the potential power of machines we may build in times to come. Quantum or leaps ahead. Will it be vulnerable then? Yes but it isn't a vulnerability. We would then call ECDSA obsolete.
Digest is obsolete yes.
The interesting part about cryptographic methods is that we may know of some being obsolete ahead of time. So long as we can determine they can be brute forced. For now it isn't obsolete despite the existence of quantum resistant alternatives. Hacker news uses ECDSA for the exchange of keys between server and client, then encrypts all connections using another algorithm safe against quantum computers. Thanks. But beyond that, probably not.
Is X obsolete? Vulnerable? Seems like X developers themselves admit it is a vulnerability. They didn't know of the possible exploit. As to the severity? It's often subjective from my experience.
Happy to be wrong, and we don't have to agree.
> is why would you wait until people are getting hacked to address a known vulnerability?
Do you have some other way of _reliably_ identifying vulnerabilities?
> It makes no sense whatsoever to leave one open just because.
It makes sense to have security options. If I want to leave it fully unlocked, that's my business, and I possibly have good environmental reasons to do this.
What you should really care about are security _defaults_. And in X11's case I'm not aware of any distribution that ships the server with TCP connections to the sever enabled. You have to go well out of your way to even begin using this functionality.
I don't dispute your anecdote but I think the point was: x11 has been around for decades, and these things just don't happen. And the reason is that there are much simpler and more effective ways to pwn a box than trying to screenshot an x session or trying to hook for key presses. So the vulnerability surface just isn't large enough.
It does make sense if the vuln doesn’t fit in your threat model. There are always an uncountable number of vulnerabilities and you can never fix all that are found.
No idea of course if the threat model that said boss had in mind made sense. But I always recommend to come up with a reasonable threat model first and then think you can harden against it.
I think the issue isn't that you downloaded random hostile software, but that other software you do use has some sort of vulnerability (recent Unity vulnerability, browser sandbox escape, etc) and an issue like this would allow for privilege escalation.
Wayland doesn't need X11's vulnerability as its only argument, Wayland is a much simpler design that is easier to iterate on because it doesn't assume the client and server are on different machines. The fact that it moves privileged APIs like screen capture behind portals is a bonus.
So simple and easy to iterate on that Wayland compositors are still not as full-featured as X11 desktop environments after more then a decade, and can't be due to protocols no one is able to agree to implement.
>> Wayland compositors are still not as full-featured as X11 desktop environments
It depends what features you care about. X11 doesn't have tear-free video playback, HDR, or as good a security model as Wayland.
X11 has options for tear free video playback; it's not in the base protocol, and not all drivers offer it, etc, but it's acheivable. Fundamentally, you need to send the next frame to the server and ask it to switch frames during vblank (+/- notification), on today's systems, this is more of a coordination problem than a technical one; there's plenty of video ram to go around to double/tripple buffer.
HDR would fit in the X11 model of many bit depths, however the specifics don't really; afaik, X11 has a maximum bitdepth of 32 for pixel values, which means either limiting to 2-bits of alpha channel or using palettes (I think I saw that indexed colors can be defined with 16-bits per channel). An extension might be possible (with everything that brings), but I think the ship has sailed.
I agree that Wayland's security model prevents some undesirable interactions that X11 allows, but it also prevents or makes difficult some desirable interactions, so it's a mixed bag.
> I agree that Wayland's security model prevents some undesirable interactions that X11 allows, but it also prevents or makes difficult some desirable interactions, so it's a mixed bag.
That is so true, I wanted to have a typing sound from my pc everytime I typed on wayland and I looked at LITERALLY every single solution and none of them worked... simply because of the security model of wayland (so things like Mechvibes and alternatives don't work generally speaking)
On one hand, its a good thing to prevent things like password injection etc. but on the other, really?
I got frustrated and I created a lot of github issues on every such project if they said that they are working on wayland and I didn't care if it meant running it as sudo, I just asked them kindly if there was a way or not/ what's the issue here
There are still times where I get a lot of notifications simply because someone commented on those issues
So naturally a lot of people are/were frustrated about it. Not sure if its a good thing or not, but I 100% agree about this comment of yours
Another big issue imo to me feels like ssh, X servers ssh forwarding/vnc just works, Yet I haven't really found ways to do things like VNC on wayland on a server or something as easy (or even possible?) on wayland as compared to x servers, Please let me know if there are apps which do this though, I know about weston but I haven't found ways to work with it/make it work (maybe my skill issue)
Are there any solutions to these things though? Fundamentally that mechvibes things requires an app to view the key from every other application and make a sound, Nothing stops it from being a key-logger as well if it had that capability and Wayland was created with a better security model but as you say and I experienced, that security model comes up with its own compromises and I am not sure if that's a good thing or bad thing....
With the caveat that I haven't used Wayland ... [1]
Waypipe is supposed to help replace things like remote X. I'd be surprised if there's no vnc server that offers a wayland desktop... that would be a big missed opportunity.
For your noisemaker, I think you might have a better time integrating at another level. Either intercept the inputs before the display server gets them, or integrate into the display server itself. X was more flexible, but as long as it's just typing -> noise, you don't need it to have the same architecture as it did in X.
[1] Wayland has no compelling features for me, and X remains viable for me as well. At some point, hardware support might be compelling, or IMHO, something will come to replace Wayland and X that is compelling.
I remember watching tear free HD video in 2011 on a netbook I dug out of the e-waste dumpster in the UC Berkeley CS building basement. Chrome/Openbox/X11. That laptop was literally trash.
Using a compositor fixes screen tearing, no need to use Wayland for that.
Even a compositor is unnecessary to fix screen tearing these days: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests...
Wayland is the way to go. The same applies to Flatpak, Pipewire, systemD, etc. I'd say that this is obvious, and doesn't even need to be argued, to 99%+ of those who actually use the Linux desktop. The only opposition to this is a small group of decelerationists with a major, irrational aversion to change.
Having only two major options, X and Wayland, doesn't mean either one is correct. It is generally true that X needs to be replaced, but Wayland is not necessarily the replacement we need. It would be good to have more competition.
On a separate note, I think it's probably true that Wayland has significant drawbacks that preclude it from being an obvious replacement.
Everything you listed is bloated, slow, incompatible, unfinished or unstable. My system worked fine 20 years ago on far less capable hardware. Now even with high end workstations systems lag, crash or have strange behavior
That's either a lie or you are talking out of your..
Wayland literally runs on ultra-low-end infotainment systems, Pipewire is surprisingly stable and featureful compared to its age (also, what's your alternative, pulseaudio?) and systemd is possibly the best thing that happened to linux userspace in the last decade, letting packages work across different distributions without unnecessary extra work.
We are running systemd with all bells and whistles on Raspberry Pi based 1 GB RAM systems. systemd-networkd, iwd, timers etc. The base usage barely touches 350 MiBs. Our actual application is containerized with systemd thanks to broad set of options increasing system security quite a bit. It works great.
You know what's bloated? Replacing all those functions with custom bash scripts or worse system services.
My thoughts on systemd are complicated but I wasn't around at the time of systemd Personally it is my opinion that Linux really split in two due to systemd partially because of the idea of the sheer size of systemd code
There are things like https://github.com/Sweets/hummingbird which, I, not even a C person can understand and appreciate its simplicity.
I am not saying that we always need such simplicity, but that I am merely giving an opinion that there are people who actually want to understand what they are running as their root and this sense of "control" really is so hard to get from things like system-d
System-d is also thus a little "bloated" compared to other inits which really show in systems like containers etc. where most developers if possible try to have alpine containers (I have seen this especially so much in golang/rust communities partially because golang is mostly static available and rust can be done the same too or compiled with musl pretty easily)
As such, personally, I can understand both systemd and other init systems, I feel like there are some guides which prefer using hummingbird etc. (https://github.com/comfies/tldrlfs) and I feel like for actually understanding "linux" from linux from scratch, other inits can be good.
Another minor nitpick I have of systemd is that its glibc based, Glibc has some of the weirdest complexities I have ever seen and a lot of package management in my opinion has been built around it and personally it feels like the decisions were made in a different era where different types of resources were constrained and updates weren't as widespread but now it has been a mess which is why we need so many linux distros in the first place with their opinions and package management
I genuinely prefer musl for this, So I prefer things like alpine/void in the process as well yet to me, freedom matters a lot. There should be a freedom of choice in such matters and systemd severely restricts it for many.
I feel like systemd is way too ambitious and which is why it requires glibc to be more feature complete in the first place, not sure if its a good or bad thing but I am merely stating what I feel like.
As I said, I have nothing against systemd myself but I am just giving the nuance I felt like, as I was trying to build my own linux distro trying to make it hyper compact and I came into this rabbit-hole, My philosophy almost was out of curiosity regarding what are the smallest systems which are still functionable (Hint: its tiny core linux which is an absolute pleasure although it isn't "secure" partially because they run everything as root If I remember correctly but )
>We are running systemd with all bells and whistles on Raspberry Pi based 1 GB RAM systems. systemd-networkd, iwd, timers etc. The base usage barely touches 350 MiBs
Okay but what are your thoughts on alpine, Alpine's motto or the first thing you see in bold letters on their website (https://alpinelinux.org/) is
Small. Simple. Secure.
Alpine Linux is a security-oriented, lightweight Linux distribution based on musl libc and busybox.
Combined with either gcompat to run glibc or personally I genuinely prefer golang/rust applications (mostly golang) like running gitea on alpine etc. and I found it to be an absolute pleasure server side to work with mostly, except sometimes software download especially python when I was running alpine on android using userLand was a somewhat-issue but maybe I had skill issue or something but I genuinely learnt a lot trying to install python on it.
Bun/Deno just works out of the box, in fact deno is even available in the apk format of alpine out of the box
I truly love alpine/appreciate its message. I feel like systems should be small partially because that means that such software could run even on much older systems just out of the box
Alpine features raspberry pi images and there is dietpi which has some decent low iso file sizes, Check them out as well if possible
Personally I love alpine but I also love the idea of using debian or some immutable distro which uses systemd and then running alpine in container, it seems to be the best of both worlds really.
"Our actual application is containerized"
so you're a cargo cult moron
Of course X has authentication, but once you're in, you're in. There are no elevated windows, screen recording permissions, or any sort of keylogger prevention. That was normal a few decades ago, but the world has moved on since.
There's no real reason it can't do any of that, it just doesn't and there are no real plans to add these features.
I'm not convinced by the "if you run a program you should assume you've already been hit by a CIA 0day". Obviously nobody is dialing into your X11 server from the internet, but this is a relatively easy nobody:nobody -> root/wm-session/whatever elevation of privilege.
If malware is in your X server, doesn't that mean it's running under your user account? And if that's the case, then couldn't it just steal your data right off the filesystem without needing to get it from X?
It could be a remote X client on another machine.
> Why do people keep persisting this myth? X11 has authentication. You can either rely on filesystem permissions, or a shared secret. The same way thousands of other network servers work.
Any program you incidentally run within a typical graphical user session will have access to the X socket and a cookie, they will be able to connect. And after they connect... They basically just can do anything they want with zero real restrictions, including most likely some fairly trivial paths to root escalation. Even if they're running inside of a sandbox or container, with only an X11 socket poking through.
This problem was realized a very long time ago with the security extension but most of it never really caught on.
> Any program you run on a computer (especially a Linux computer, which lacks modern OS security measures and has constant privesc kernel holes) exposes you to security flaws. There has yet to be any computer system designed that a hacker can't break out of. If you intentionally download and execute a program, you are rolling the dice, regardless of what the software is.
If you believe this is true, then what exactly is the point of any security measure? Why bother using isolation and sandboxing, or passwords? Why does Windows bother patching flaws if they know there are certainly more of them and they will never fix them?
Do you by chance also smoke because you're going to die anyways?
> What's insane about all these discussions is that NOBODY IS HACKING X SERVERS. There's a thousand other kinds of software on Linux that there is real malware for. But nobody is trying to hijack your X11 session. This imagined threat is a red herring designed to bolster the argument for Wayland's horrible designs.
Lol. That's primarily because the Linux desktop is utterly irrelevant, not because nobody would care to do it. Is it really surprising that attacks against desktop computers would focus almost entirely on the OS that has 90+% of the market share? We don't get free software OS desktop malware for the same reason we don't get free software OS software ports.
Watching and waiting with security was a totally acceptable position in the 90s, but we get the general gist these days. We need security-by-design.
On the server side of Linux where Linux is relevant, the situation is much more impressive; auditing using eBPF, sandboxing with gVisor, microVMs with Firecracker and cloud-hypervisor, isolation using namespaces and seccomp-bpf and more.
On the desktop side, people are still arguing over whether or not it's a problem that any X client can by default silently keylog the entire system trivially. Okay, but a lot of us actually see that as a problem, and we're not interested much in "hearing you out". Most of us recognize that the Wayland protocol has warts (and too many damn protocols), but X11 has many more warts. I didn't care what was the successor to X11 specifically, I just cared that we eventually made some progress. Most people have nothing to offer here and just suggest we should've stuck with X11. Okay dude, but nobody wants to. The X.org devs would like to move on. The desktop environments really would like to move on. There was basically one serious guy that actually wanted to work on improving X11 and he turned out to be kind of crazy and couldn't stop breaking shit anyways.
You could use a proxy server (regardless of the protocol), which might improve security (and other things) better than other methods do, I think.
There are problems with both X11 and Wayland, although I dislike some of the features of Wayland.
Yeah, with Qubes that's exactly what they do. I forget what the software is called, but they use an X11 proxy that tries to enforce policy.
That said though, that does require you to proactively run every X application with this sandboxing. For Qubes which forces everything into VMs this is doable, but for most other systems there isn't an obvious way to handle this sort of thing.
My only major complaint about Wayland that can't just be fixed relatively easily is Mutter refusing to support SSD. (Well, the actual technical problem could be fixed relatively easily, but the social one not so much.)
Firejail uses nested X11 servers like xeohyr or xrdp to restrict application access to the primary X11.
Hmm, I thought it was Xephyr but I was wrong. It looks like Qubes actually does something even more involved:
https://doc.qubes-os.org/en/latest/developer/system/gui.html
This makes sense though, given the way clipboard works in Qubes. I think I must've entirely mistaken how Qubes works for an entirely different scheme.
X11 had the distinction between trusted and untrusted X11 clients basically forever. But nobody bothered to even spend the minimal amount of work to make this usable in practice^1. This had two reasons: 1.) It is irrelevant when you run the programs as the same user so nobody bothered (and no: Wayland does not help: https://github.com/Aishou/wayland-keylogger) 2.) It is more fun to simply pretend it is unfixable broken and write something new (something any good engineering manager should have stopped immediately).
¹. I used to use this and also fixed some bugs in some programs. The main problem when I last checked a decade ag was that some important extensions such as composite would need to be exposed to untrusted clients.
That Wayland keylogger is not the same thing. X11 has several mechanisms (XTest, XRecord, XI raw inputs) to receive a global raw key input stream, accessible to anyone who connects to the X server, without even making a visible window surface. It even bypasses grabs, meaning that your lock screen password entry can be snooped on.
The Wayland keylogger acts like an application; all Wayland compositors will only send key events to the focused surface, so the user has to focus an active surface in order to get key events. Even in the scenario where you've LD_PRELOAD-hooked all applications, you still will never get the lock screen password, as the compositor never sends it out across the wire.
LD_PRELOAD is problematic from a security perspective, but it's not Wayland-specific: the same issue is true for CLI applications and X11 applications, and any attacker with the ability to write files could also just replace your binaries with malicious ones (stuff them somewhere into ~/.hidden, and then add a $PATH entry to the start).
I think you did not understand my point. X11 has several such mechanisms, yes, but it also has the concept of untrusted clients that disallow the use of these mechanisms and could be used to provide safety similar to Wayland. The point is that this mechanism of untrusted X clients was neglected and I gave an explanation way.
> something any good engineering manager should have stopped immediately
Who exactly should and can control the horde of OSS developers?
They were paid by redhat.
[flagged]
Solaris had Trusted Extensions for X11 which shipped with Trusted Solaris 8.
In 2000.
Solaris 10 had it built into the base OS and integrated into both the CDE and GNOME desktops they shipped. With OpenSolaris it was released as open source under the non-GNU CDDL license.
In November 2006.
Wayland was started in 2008.
Digging deeper there are mechanisms for long time on internal X side (see https://www.x.org/releases/X11R7.6/doc/xorg-docs/specs/Xserv... ) - granted never seen it practically implemented.
And going to rabbit hole there are even proof of concept security implementation named Xnamespace for Xorg fork (needs polishing and much more patches but looks doable. see wip documentation: https://raw.githubusercontent.com/X11Libre/xserver/d2b60a3d6... )
The way X11 developers ended up fixing this is by creating Wayland. This way privileged operations (like keylogging, screen capture, etc) require the cooperation and authentication through the display server.
That sort of solution is cancer if you want to do anything the display server authors didn't think of. I've got a script that I invoke with a global hotkey that determines the window title of the currently focused window and fuzzy matches it against pipewire audio stream names so I can mute the focused window with a single keypress. If I want that to work in Wayland I'm pretty much up shit creek because somebody with their head in the clouds thinks that my needs are super dangerous or something.
Wayland devs for the longest time thought implementing what was needed for accessibility (mainly, global keyboard hooks for Orca to work) was a security problem. Nevermind the fact that nobody hacks X servers, or your wayland compositor, because if I wanted to hook your keyboard with a keylogger, I'd hook it through evdev. And then you wouldn't even know let alone be able to do much about it if I did it properly.
Wayland doesn't say "this is impossible", it says "this is out of scope of the core display protocol, implement this somewhere else".
Which, well, we do. Practically all the X usecases are covered on Wayland systems now. Screen sharing, screen clipping, global hotkeys, file pickers, getting the window title like you said... I can do all of that on KDE, right now, under Wayland.
Can you do it in a way that isn't KDE specific, and will work if you change your DE one day on a whim?
If you change to another DE that has less capabilities than KDE, of course you can't do it. Emacs and LibreOffice Writer will have vastly different capabilities and people can choose what they want based on the capabilities they desire.
And that is exactly the problem. Now things like accessibility (or, really, any feature that the maintainers of the core protocol didn't think were "necessary" because they like minimalism) have to be implemented by each and every compositor. If the compositor doesn't implement it, your screwed unless either you convince them to add it or you add it yourself. Talk about causing huge amounts of fragmentation for absolutely no reason.
The proper thing Wayland should've done is waited until Wayland had reached feature parity with X, then released it to the world and started acting like it's the future.
If I have a kiosk terminal, why would I want the overhead of, say, screensharing? Also, isn't this the point of libraries, so that you only have to implement stuff once, and you can reuse it in different projects? Like you can build on top of wlroots just fine.
> The proper thing Wayland should've done is waited until Wayland had reached feature parity with X
How on Earth would you expect a fundamental protocol to be developed behind closed doors?! Wtf even.
> If I have a kiosk terminal, why would I want the overhead of, say, screensharing? Also, isn't this the point of libraries, so that you only have to implement stuff once, and you can reuse it in different projects? Like you can build on top of wlroots just fine.
Yeah but again this fragments the ecosystem massively. If people really wanted flexibility they could've just made it a configure option or something equivalent?
> How on Earth would you expect a fundamental protocol to be developed behind closed doors?! Wtf even.
Your making a pretty big assumption here, aren't you? I never said it had to be developed behind closed doors. It's the "lets just obsolete X11 even though Wayland can't even replicate a quarter of it's functionality right now now now because of security security security" that irritates me. If they had worked on Wayland and obsoleted it once they had reached feature parity, that would be releasing it to the world. Then they would've had far less friction and the transition would've been a lot smoother. Would it have delayed Wayland by maybe a decade? Sure, but I see little issue with that. IMO that probably would've made Wayland even better.
Wayland was specifically built to support things that aren't desktops, so feature parity with X was never a design goal of Wayland. The idea was that Wayland would be a super-flexible "you give me a window and events, I give you rendered bitmaps" kind of protocol, and then desktop functionality would be layered on top for people who wanted a desktop. Not everything needs to be a desktop (e.g. car infotainment displays, KDE Plasma widgets, etc), and some protocols would be super limited if they had to fit in a desktop mold (e.g. VR displays[0] with apps in non-planar windows).
The main mistake FD.o made is that they didn't get consensus on a "Desktop Profile" extension, so all the DEs wound up implementing their own thing. This is still fixable, just very annoying until we have agreement on this shit. I think that's what you meant by "feature parity with X".
[0] Currently, every desktop VR setup has to have two layers of compositors. VR applications have to communicate with a special VR compositor that then draws normal desktop windows with the contents of what should be hitting each eye of the VR display, all so it can pretend to be two normal displays.
I could say the exact same thing about X, A lot of the problems people had with X historically was that developments goal was to "create mechanisms not policy" and people just wanted a desktop environment that worked.
An antidote on non desktop use of X: the other day I wanted to show a program on my phone, there are many good ways to do this, but I picked none of them. Instead I had just installed a terminal on the phone and noticed they had an X11 package, So A few minutes later I was the proud owner of an X server on a phone. And you know what... It was pretty great. My gaming system load and temps dashboard were displaying just fine.
Despite using X for many, many years, I had never just sat down and played with a bare X server, I had only dealt with it through the lens of a locked down, encumbered desktop system. It was like having a network attached monitor. From whatever system I was using as a desktop system I could just go "display this on that monitor", in this case a phone. Based on that experience I put a raspberry pi on my TV running a bare unprotected X server because having a network attached monitor rocks.
Yeah, pretty much. I would be less disagreeable about Wayland if they had solved this problem early (and yes, they should've thought about this early during Wayland because the most prominent target is desktop environments). But they didn't, and I don't even know if they'll come up with some unified solution that all DEs/WMs can agree on or whether they'll just keep allowing DEs/WMs to do their own thing. Either way, fragmentation is never a good idea on what, I think, many would consider critical functionality. At least, I consider the requirements to implement accessibility to be rather critical, which is the primary reason I still use Xorg.
That's the issue. Because wayland punts on so much functionality that used to be available with standard interfaces in X11, it fragments the ecosystem to such a degree that all these useful little utilities just don't really have a means to grow.
:(
You can write a Gnome Shell extension or whatever the KDE equivalent is.
> That sort of solution is cancer if you want to do anything the display server authors didn't think of.
Hey come on man, a locking screen saver is a totally niche application. No demand for that.
xscreensaver works just fine. It only needs to keep nosy roommates out, not the NSA. Not that Wayland would stop spooks anyway.
It doesn’t lock the screen properly under Wayland. There’s an abyss of complaining about Wayland on jwz’s blog.
https://www.jwz.org/blog/2025/07/xscreensaver-wayland-and-lo...
For some weird reason I can't access it, it just redirects me to this image about hacker news. Did he just configure his webserver to just universally display that image? Even if I manually enter the address into my address bar it does that so I assume that that's what he did...
The author of xscreensaver holds hn in a certain amount of contempt, yes. Just go with it.
Also balls
Totally unrelated, I like your nickname :)
That way you also prevent things possible in X11 to be impossible in Wayland, like a window setting it's own position, if you were to want that.
Good. Disallowing software to position its own windows has been a major usability improvement over the X11 days of software making stupid positioning decisions and having to patch it out everywhere...
Yeah, assuming all users and all software should work the same idea is a great way to get people moving to a new platform.
Maybe, just maybe, some people know what they want, and if they want applications that can put themselves in specific corners, why shouldn't the desktop let the applications do that, if the user is OK with it?
Fixing X11's security would of broken window positioning as well. Since that is a security issue.
The deal here is that the only way to fix X11's security issues is by breaking all those types of workflows and forcing application rewrites to implement them in authenticated ways.
So if you are going have to go and break all that stuff, why not fix a crapload of other problems while you are at it?
Calling Wayland "X13" may have avoided a lot of misunderstandings, but it probably would of caused others.
> Since that is a security issue.
Maybe it's both? There are applications with good reason that need to chose their location themselves, and users who want that type of behavior, so it's definitively not just a security issue.
I don't think I've seen X configured to run as root in probably 15 years. If anybody still does anything like that, they're literally asking for it.
Hmm.. On my Debian ps axuw|grep Xorg says
That looks like the display manager (i.e. login screen) running on vt4, which is probably not where you are logged in. Does it switch to another user when you log in?
Note you have multiple virtual consoles which can have independent X servers.
No, that's actually my real and only Xorg, it's the child process of /usr/libexec/gdm-x-session and that process is owned by my real user id, and the Xorg process provides /tmp/.X11-unix/X1 that e.g. strace -e connect xlsclients shows is the socket it uses. Notice also that it uses a significant amount of memory and has consumed a meaningful amount of CPU time, much more than a dm would do.
Good point about display manager though, I suppose it's not using Xorg then as I do know there is a login screen waiting at vt1 but that's the only Xorg process. Maybe the gdm3 incorporates a Wayland implementation in Debian 13.
Any application can literally log EVERYTHING! It's good to see wayland getting better everyday
Some oldschool legends are still fixing bugs in xorg.
Alan Coopersmith in particular. He even fixed a bug I reported. :)
(I forgot in which app it was but the bug report should be somewhere still; it is not old, perhaps 2 years ago or 3 years ago. The xorg app in question behaved oddly when doing "--version". I only noticed this because I wrote a ruby script that displays which version of programs are installed, and that one kept on making problems, whereas the others worked fine. After I reported it, Alan fixed this very quickly. I think it was some missing flag in the C program or something like that; right now I can not remember the name of the program ... my brain tries to say xrandr but I think it was not xrandr but a less frequently used program somewhere in the FTP listing ...)
> Bonus points if you have any Tcl/Tk apps running, where you can simply transmit commands for the program to run via the X server.
Back in 1996 the level of X integration in Tk was awesome; I had a shell tool that could make Netscape do stuff by firing MIT magic cookies at it.
In a contemporary setting, it's pretty horrifying.
Didn't Netscape use Motif?
It did, but it could receive messages thanks to MIT Magic Cookies, which you could send because of Tk’s excellent integration with X. I can’t remember now if it was the browser you could also effectively spy on via similar means. Long time ago. I have largely forgotten how my tool worked now but the code I wrote (modified wish shell) might still be out there.
Considering how nicely Weston with SW rendering runs in Fil-C, I bet that the X server will run fine in Fil-C, too.
Fil-C exhibits the lowest overhead in code that spends its time on primitive bits.
Fil-C exhibits the highest overhead in code that chases pointers.
I'm assuming X is the former. Weston seems to be.
The main pain in linux is graphics. It's a shame.
Xorg is indeed a lot of painful complexity. This being said, the software is not Linux specific, and for modern Linux distributions, it is more and more a legacy technology.
Coverity is pretty good about finding these kinds of bugs. Is there a reason why a project as significant as Xorg isn't taking advantage of their gratis access for that tool?
I think the short story is that the people who develop Wayland are the people who used to develop Xorg.
And they’d rather spend their energy on giving you a compelling reason to switch, rather than using it to add to the reasons for staying on a project they now consider obsolete.
You may disagree with their assessment, but you can’t blame them for how they decide to prioritize.
Don't kill xorg! :(
Would Fil-C have prevented the first or third?
By my reading, it would have prevented all of them.
[flagged]
[flagged]
One of the use-cases of Fil-C is to prevent security issues in old C code that's much older than Fil-C itself.
> Probably not seeing how the code for at least the 3rd was written in 1994, some 30 years before Fil-C existed.
How is this possibly the most charitable reading of parents comment, and honestly, do you think that's what they meant? You can't read that in some other way, where maybe parent wasn't actually asking about time traveling but something else?
Yes it was bit uncharitable, but I couldn't resist based on the way he phrased it. It was just a joke.
"Preventing" the vulnerability would indeed require going back to 1994. Since it is a vulnerability that has existed in every display server released since then.
I meant it in the sense of continuing to run old C code like X.org in a safer way without unnecessary rewrites to memory safe languages. These vulnerabilities, like this one that's been in the wild as you say for 30 years uncaught, will continue to be found. Something like Fil-C is really useful in that context.
I also said "would it have" -- I don't really care about timeline. Obviously Fil-C is a recent development, that doesn't make the question I asked any less interesting.
From HN guidelines:
> Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.
Perhaps next time, resist the urge :)
This being the default question to literally any C vulnerability is already getting really old. Fil-C doesn't provably prevent anything. It is a hobby project by a dilettante.
> Fil-C doesn't provably prevent anything.
It does. I have lots of documentation to show exactly how and why.
> It is a hobby project by a dilettante.
Wow
[dead]