search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.75k stars 565 forks source link

--x11=xorg couldn't query Security extension #1197

Closed l29ah closed 7 years ago

l29ah commented 7 years ago

master here

‰ firejail --x11=xorg xprop
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 19541, child pid 19542
Using authority file /tmp/.tmpXauth-6G0I7M
/usr/bin/xauth: (argv):1:  couldn't query Security extension on display ":1.0"
Failed to create untrusted X cookie: xauth: exit 1
Error: proc 19541 cannot sync with peer: unexpected EOF
Peer 19542 unexpectedly exited with status 1
gso commented 7 years ago

Is the extension installed? Included with libxext6 on Ubuntu.

l29ah commented 7 years ago

On Thu, Apr 06, 2017 at 10:43:05PM -0700, gso wrote:

Is the extension installed? Included with libxext6 on Ubuntu.

I didn't have it installed, but after i installed it and rebuilt firejail nothing changed.

-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments

gso commented 7 years ago

It's the extensions that the sandbox server itself actually supports by the looks. If you have logged in as another user with su then it may be X Windows authorisation that is the problem?

l29ah commented 7 years ago

On Fri, Apr 07, 2017 at 09:18:22AM -0700, gso wrote:

It's the extensions the sandbox server itself actually supports by the looks. If you have logged into as another user with su and attempted to run an X application then it may be X Windows authorisation that is the problem?

I didn't. Also this way no --x11 and --x11=xpra won't work, and they do work.

-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments

netblue30 commented 7 years ago

I put out on Sourceforge a new release, can you give it a try? There have been quite a number of fixes in x11 area.

https://sourceforge.net/projects/firejail/files/firejail/

l29ah commented 7 years ago

I'm on 519c68b857fba0822919b11e1ef66ed7216e3404, so i guess this doesn't apply to me.

netblue30 commented 7 years ago

Yes, all the fixes should be in your version.

X11 security extension disables a number of regular X11 extensions. If your application uses one of them, the application will freeze. For example I start Chromium:

$ firejail --x11=xorg chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 1817, child pid 1819
Using authority file /tmp/.tmpXauth-TaWIdm
authorization id is 749
Writing authority file /tmp/.tmpXauth-TaWIdm
Child process initialized
Warning: an existing sandbox was detected. /usr/bin/chromium will run without any additional sandboxing features
Xlib:  extension "RANDR" missing on display ":0.0".
Xlib:  extension "XInputExtension" missing on display ":0.0".
Xlib:  extension "RANDR" missing on display ":0.0".
Xlib:  extension "XInputExtension" missing on display ":0.0".
Xlib:  extension "XInputExtension" missing on display ":0.0".
Xlib:  extension "SHAPE" missing on display ":0.0".
Xlib:  extension "SHAPE" missing on display ":0.0".

The browser comes up, but the mouse doesn't work. On Debian jessie I get about half the programs working (including Firefox), the rest behave strangely.

l29ah commented 7 years ago

On Sun, Apr 09, 2017 at 06:12:40AM -0700, netblue30 wrote:

X11 security extension disables a number of regular X11 extensions. If your application uses one of them, the application will freeze. For example I start Chromium:

‰ firejail --x11=xorg true 
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 28838, child pid 28839
Using authority file /tmp/.tmpXauth-JYM2Lr
/usr/bin/xauth: (argv):1:  couldn't query Security extension on display ":1.0"
Failed to create untrusted X cookie: xauth: exit 1
Error: proc 28838 cannot sync with peer: unexpected EOF
Peer 28839 unexpectedly exited with status 1

-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments

netblue30 commented 7 years ago

This is the command firejail is trying to run:

$ /usr/bin/xauth -v -f /tmp/testxauth generate :0.0 MIT-MAGIC-COOKIE-1 untrusted
/usr/bin/xauth:  file /tmp/testxauth does not exist
Using authority file /tmp/testxauth
authorization id is 751
Writing authority file /tmp/testxauth

:0.0 is the display on my system:

$ env | grep DISPLAY
DISPLAY=:0.0

Try to run xauth command in a terminal, replace :0.0 with your display number.

gso commented 7 years ago

Have just built Lumina Desktop, same issue, I'm not a sys. admn. however it was evident that access control was not configured (see man xhost),

xhost - without args, whether or not access control is currently enabled xhost + - disables access control (no restriction on connections) xhost + local: - all local connections xhost + si:localuser:[username] - specify a local user xhost - ... - removes access

netblue30 commented 7 years ago

If you use xhost to configure it, is it working?

l29ah commented 7 years ago

On Sun, Apr 09, 2017 at 08:39:20AM -0700, gso wrote:

Have just built Lumina Desktop, same issue, I'm not a sys. admn. however it was evident that access control was not configured (see man xhost),

‰ xhost access control enabled, only authorized clients can connect SI:localuser:root SI:localuser:googleearth

-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments

l29ah commented 7 years ago

On Sun, Apr 09, 2017 at 08:40:37AM -0700, netblue30 wrote:

If you use xhost to configure it, is it working?

Yes.

-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments

l29ah commented 7 years ago

Huh?

netblue30 commented 7 years ago

xhost config is a desktop problem.

l29ah commented 7 years ago

On Wed, Apr 12, 2017 at 08:40:20AM -0700, netblue30 wrote:

xhost config is a desktop problem.

What do you mean? Have i misconfigured anything?

-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments

netblue30 commented 7 years ago

xhost configuration is set by the guys building the distro. It all depends how X11 was set by them. If it is too restrictive, xorg will kill all kind of requests.

l29ah commented 7 years ago

On Wed, Apr 12, 2017 at 09:13:13AM -0700, netblue30 wrote:

xhost configuration is set by the guys building the distro. It all depends how X11 was set by them. If it is too restrictive, xorg will kill all kind of requests.

I've posted mine. Is it somehow incompatible with firejail?

-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments

netblue30 commented 7 years ago

Could also be the way they compiled xorg to begin with. It is working fine on Debian and Ubuntu.

l29ah commented 7 years ago

On Fri, Apr 14, 2017 at 09:52:25AM -0700, netblue30 wrote:

Could also be the way they compiled xorg to begin with. It is working fine on Debian and Ubuntu.

I did, it's Gentoo after all. Don't see nothing wrong:

xorg-server-1.19.3/configure --prefix=/usr --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --disable-dependency-tracking --disable-silent-rules --libdir=/usr/lib64 --docdir=/usr/share/doc/xorg-server-1.19.3 --enable-shared --disable-static --disable-selective-werror --enable-ipv6 --disable-debug --disable-dmx --disable-glamor --disable-kdrive --disable-kdrive-kbd --disable-kdrive-mouse --disable-kdrive-evdev --enable-install-setuid --disable-tslib --disable-libunwind --disable-xwayland --enable-record --enable-xfree86-utils --enable-dri --enable-dri2 --enable-glx --disable-xephyr --disable-xnest --enable-xorg --enable-xvfb --enable-config-udev --without-doxygen --without-xmlto --without-systemd-daemon --disable-systemd-logind --enable-libdrm --sysconfdir=/etc/X11 --localstatedir=/var --with-fontrootdir=/usr/share/fonts --with-xkb-output=/var/lib/xkb --disable-config-hal --disable-linux-acpi --without-dtrace --without-fop --with-os-vendor=Gentoo --with-sha1=libcrypto --build=x86_64-pc-linux-gnu

-- () ascii ribbon campaign - against html mail /\ http://arc.pasp.de/ - against proprietary attachments

netblue30 commented 7 years ago

I'll keep an eye on it, so far I couldn't reproduce it on any of my systems.

amtlib-dot-dll commented 7 years ago

On Fedora 25, when the default Wayland session is being used, the corresponding Xwayland server seems to have no such security extension.

$ xauth -v generate $DISPLAY . trusted
Using authority file /run/user/1000/gdm/Xauthority
xauth: (argv):1:  couldn't query Security extension on display ":1"
$ xauth -v generate $DISPLAY . untrusted
Using authority file /run/user/1000/gdm/Xauthority
xauth: (argv):1:  couldn't query Security extension on display ":1"

It is all the same when selecting the GNOME Classic session, where pure X is used and Wayland is bypassed.

amtlib-dot-dll commented 7 years ago

There is even no "security" string in the output of xdpyinfo -queryExtensions -ext all

amtlib-dot-dll commented 7 years ago

Note that the Security extension is by default disabled in https://github.com/mirror/xserver/blob/master/configure.ac#L564

l29ah commented 7 years ago

And it's really disabled in Gentoo. I've rebuilt it properly and now it works. Thank you!

yogesh-desai commented 7 years ago

I have an identical problem. I am trying to set up go-selenium repository on my machine. Installed dependencies mentioned on the GitHub repo page but getting the error as below while I run the test. $ go test xauth: (argv):1: couldn't query Security extension on display ":11" --- FAIL: Example (0.09s) panic: error starting frame buffer: exit status 1 [recovered] panic: error starting frame buffer: exit status 1

I am using Fedora 26: The commands given above by other users and it's output in my case: @netblue30 : $ /usr/bin/xauth -v -f /tmp/testxauth generate :0.0 MIT-MAGIC-COOKIE-1 untrusted /usr/bin/xauth: file /tmp/testxauth does not exist Using authority file /tmp/testxauth /usr/bin/xauth: (argv):1: couldn't query Security extension on display ":0.0"

$ env | grep DISPLAY DISPLAY=:0 WAYLAND_DISPLAY=wayland-0

@amtlib-dot-dll : $ xauth -v generate $DISPLAY . trusted xauth: file /home/yogesh/.Xauthority does not exist Using authority file /home/yogesh/.Xauthority xauth: (argv):1: couldn't query Security extension on display ":0"

$ xauth -v generate $DISPLAY . untrusted xauth: file /home/yogesh/.Xauthority does not exist Using authority file /home/yogesh/.Xauthority xauth: (argv):1: couldn't query Security extension on display ":0"

Kalle72 commented 4 years ago

@ l29ah: I am on Gentoo too and oberserved the same problem you did today. Your post on 13 Jun 2017 looks like you know how to circumvent the problem on gentoo. Would be extremely nice if you could tell me ;-)

Thanks in advance

l29ah commented 4 years ago

@Kalle72 USE=xcsecurity emerge x11-base/xorg-server Probably should be the default.