Closed l29ah closed 7 years ago
Is the extension installed? Included with libxext6
on Ubuntu.
On Thu, Apr 06, 2017 at 10:43:05PM -0700, gso wrote:
Is the extension installed? Included with
libxext6
on Ubuntu.
I didn't have it installed, but after i installed it and rebuilt firejail nothing changed.
-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments
It's the extensions that the sandbox server itself actually supports by the looks. If you have logged in as another user with su
then it may be X Windows authorisation that is the problem?
On Fri, Apr 07, 2017 at 09:18:22AM -0700, gso wrote:
It's the extensions the sandbox server itself actually supports by the looks. If you have logged into as another user with
su
and attempted to run an X application then it may be X Windows authorisation that is the problem?
I didn't. Also this way no --x11 and --x11=xpra won't work, and they do work.
-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments
I put out on Sourceforge a new release, can you give it a try? There have been quite a number of fixes in x11 area.
I'm on 519c68b857fba0822919b11e1ef66ed7216e3404, so i guess this doesn't apply to me.
Yes, all the fixes should be in your version.
X11 security extension disables a number of regular X11 extensions. If your application uses one of them, the application will freeze. For example I start Chromium:
$ firejail --x11=xorg chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 1817, child pid 1819
Using authority file /tmp/.tmpXauth-TaWIdm
authorization id is 749
Writing authority file /tmp/.tmpXauth-TaWIdm
Child process initialized
Warning: an existing sandbox was detected. /usr/bin/chromium will run without any additional sandboxing features
Xlib: extension "RANDR" missing on display ":0.0".
Xlib: extension "XInputExtension" missing on display ":0.0".
Xlib: extension "RANDR" missing on display ":0.0".
Xlib: extension "XInputExtension" missing on display ":0.0".
Xlib: extension "XInputExtension" missing on display ":0.0".
Xlib: extension "SHAPE" missing on display ":0.0".
Xlib: extension "SHAPE" missing on display ":0.0".
The browser comes up, but the mouse doesn't work. On Debian jessie I get about half the programs working (including Firefox), the rest behave strangely.
On Sun, Apr 09, 2017 at 06:12:40AM -0700, netblue30 wrote:
X11 security extension disables a number of regular X11 extensions. If your application uses one of them, the application will freeze. For example I start Chromium:
‰ firejail --x11=xorg true
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
** Note: you can use --noprofile to disable default.profile **
Parent pid 28838, child pid 28839
Using authority file /tmp/.tmpXauth-JYM2Lr
/usr/bin/xauth: (argv):1: couldn't query Security extension on display ":1.0"
Failed to create untrusted X cookie: xauth: exit 1
Error: proc 28838 cannot sync with peer: unexpected EOF
Peer 28839 unexpectedly exited with status 1
-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments
This is the command firejail is trying to run:
$ /usr/bin/xauth -v -f /tmp/testxauth generate :0.0 MIT-MAGIC-COOKIE-1 untrusted
/usr/bin/xauth: file /tmp/testxauth does not exist
Using authority file /tmp/testxauth
authorization id is 751
Writing authority file /tmp/testxauth
:0.0 is the display on my system:
$ env | grep DISPLAY
DISPLAY=:0.0
Try to run xauth command in a terminal, replace :0.0 with your display number.
Have just built Lumina Desktop, same issue, I'm not a sys. admn. however it was evident that access control was not configured (see man xhost
),
xhost
- without args, whether or not access control is currently enabled
xhost +
- disables access control (no restriction on connections)
xhost + local:
- all local connections
xhost + si:localuser:[username]
- specify a local user
xhost - ...
- removes access
If you use xhost to configure it, is it working?
On Sun, Apr 09, 2017 at 08:39:20AM -0700, gso wrote:
Have just built Lumina Desktop, same issue, I'm not a sys. admn. however it was evident that access control was not configured (see
man xhost
),
‰ xhost access control enabled, only authorized clients can connect SI:localuser:root SI:localuser:googleearth
-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments
On Sun, Apr 09, 2017 at 08:40:37AM -0700, netblue30 wrote:
If you use xhost to configure it, is it working?
Yes.
-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments
Huh?
xhost config is a desktop problem.
On Wed, Apr 12, 2017 at 08:40:20AM -0700, netblue30 wrote:
xhost config is a desktop problem.
What do you mean? Have i misconfigured anything?
-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments
xhost configuration is set by the guys building the distro. It all depends how X11 was set by them. If it is too restrictive, xorg will kill all kind of requests.
On Wed, Apr 12, 2017 at 09:13:13AM -0700, netblue30 wrote:
xhost configuration is set by the guys building the distro. It all depends how X11 was set by them. If it is too restrictive, xorg will kill all kind of requests.
I've posted mine. Is it somehow incompatible with firejail?
-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments
Could also be the way they compiled xorg to begin with. It is working fine on Debian and Ubuntu.
On Fri, Apr 14, 2017 at 09:52:25AM -0700, netblue30 wrote:
Could also be the way they compiled xorg to begin with. It is working fine on Debian and Ubuntu.
I did, it's Gentoo after all. Don't see nothing wrong:
xorg-server-1.19.3/configure --prefix=/usr --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --disable-dependency-tracking --disable-silent-rules --libdir=/usr/lib64 --docdir=/usr/share/doc/xorg-server-1.19.3 --enable-shared --disable-static --disable-selective-werror --enable-ipv6 --disable-debug --disable-dmx --disable-glamor --disable-kdrive --disable-kdrive-kbd --disable-kdrive-mouse --disable-kdrive-evdev --enable-install-setuid --disable-tslib --disable-libunwind --disable-xwayland --enable-record --enable-xfree86-utils --enable-dri --enable-dri2 --enable-glx --disable-xephyr --disable-xnest --enable-xorg --enable-xvfb --enable-config-udev --without-doxygen --without-xmlto --without-systemd-daemon --disable-systemd-logind --enable-libdrm --sysconfdir=/etc/X11 --localstatedir=/var --with-fontrootdir=/usr/share/fonts --with-xkb-output=/var/lib/xkb --disable-config-hal --disable-linux-acpi --without-dtrace --without-fop --with-os-vendor=Gentoo --with-sha1=libcrypto --build=x86_64-pc-linux-gnu
-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments
I'll keep an eye on it, so far I couldn't reproduce it on any of my systems.
On Fedora 25, when the default Wayland session is being used, the corresponding Xwayland server seems to have no such security extension.
$ xauth -v generate $DISPLAY . trusted
Using authority file /run/user/1000/gdm/Xauthority
xauth: (argv):1: couldn't query Security extension on display ":1"
$ xauth -v generate $DISPLAY . untrusted
Using authority file /run/user/1000/gdm/Xauthority
xauth: (argv):1: couldn't query Security extension on display ":1"
It is all the same when selecting the GNOME Classic session, where pure X is used and Wayland is bypassed.
There is even no "security" string in the output of xdpyinfo -queryExtensions -ext all
Note that the Security extension is by default disabled in https://github.com/mirror/xserver/blob/master/configure.ac#L564
And it's really disabled in Gentoo. I've rebuilt it properly and now it works. Thank you!
I have an identical problem. I am trying to set up go-selenium repository on my machine. Installed dependencies mentioned on the GitHub repo page but getting the error as below while I run the test.
$ go test
xauth: (argv):1: couldn't query Security extension on display ":11"
--- FAIL: Example (0.09s)
panic: error starting frame buffer: exit status 1 [recovered]
panic: error starting frame buffer: exit status 1
I am using Fedora 26:
The commands given above by other users and it's output in my case:
@netblue30 :
$ /usr/bin/xauth -v -f /tmp/testxauth generate :0.0 MIT-MAGIC-COOKIE-1 untrusted
/usr/bin/xauth: file /tmp/testxauth does not exist
Using authority file /tmp/testxauth
/usr/bin/xauth: (argv):1: couldn't query Security extension on display ":0.0"
$ env | grep DISPLAY
DISPLAY=:0
WAYLAND_DISPLAY=wayland-0
@amtlib-dot-dll :
$ xauth -v generate $DISPLAY . trusted
xauth: file /home/yogesh/.Xauthority does not exist
Using authority file /home/yogesh/.Xauthority
xauth: (argv):1: couldn't query Security extension on display ":0"
$ xauth -v generate $DISPLAY . untrusted
xauth: file /home/yogesh/.Xauthority does not exist
Using authority file /home/yogesh/.Xauthority
xauth: (argv):1: couldn't query Security extension on display ":0"
@ l29ah: I am on Gentoo too and oberserved the same problem you did today. Your post on 13 Jun 2017 looks like you know how to circumvent the problem on gentoo. Would be extremely nice if you could tell me ;-)
Thanks in advance
@Kalle72 USE=xcsecurity emerge x11-base/xorg-server Probably should be the default.
master here