xpra icon
Bug tracker and wiki

Changes between Initial Version and Version 1 of Ticket #2014


Ignore:
Timestamp:
10/28/18 17:27:52 (2 years ago)
Author:
Antoine Martin
Comment:

First and foremost, don't use xpra 0.17.6, it is old, unsupported and full of bugs, including severe security issues. (more details here: wiki/Packaging/DistributionPackages)

Second, don't run as root, even with firejail.

Additionally why does Xpra need to run Xvfb with permissions removed in Xwrapper.config?

The vfb command line usually configured by default in the xpra packages uses Xorg command line options which are not (normally) available when running suid. (see recent CVE on the subject)

If xpra cannot start the vfb, it will not run. Figure out why you can't run it before looking into xpra. My best guess is that your outdated package tries to run the wrong Xorg binary. Switch to Xvfb or fix Xdummy to run properly for withing firejail.

I can run Xvfb manually - i just need a way to feed the rendered data to Xorg - so how is Xpra doing this with auth?

I don't understand what "feeding rendered data to Xorg" means here. Xpra usually starts its own vfb and configures access using the xauth command. It can also use an existing display with --use-display=yes, in which case you are responsible for ensuring that xauth access is configured. ($XAUTHORITY) Xpra uses xlib (via GTK) so there is no magic involved, xpra is just like any other (window manager) X11 client application.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #2014

    • Property Owner changed from Antoine Martin to Veek
  • Ticket #2014 – Description

    initial v1  
    1 [https://unix.stackexchange.com/questions/478209/does-firejail-rely-on-the-application-crashing-out-and-why-cant-we-use-named-pi
    2 ]
     1[https://unix.stackexchange.com/questions/478209/ Does firejail rely on the application crashing out and why can't we use named pipes to .Xauthority?]
    32I'm not able to start firejail with Xpra - it has difficulty authenticating with Xorg - I've opened issues on the firejail page. However after asking on SO, as you can see, the mechanism by which Xpra is authenticating with Xorg is unclear so I thought I'd ask.
    43
     
    65
    76I tried debugging but strace wouldn't work
    8 [https://unix.stackexchange.com/questions/478257/how-do-i-strace-a-suid-sgid-program-firejail-as-a-normal-user-test-to-see-wh]
     7[https://unix.stackexchange.com/questions/478257/ How do I strace a suid/sgid program (firejail) as a normal user 'test' to see what's going wrong?]
    98This is the error I was getting in 0.17.6+dfsg-1:
    109{{{
     
    18172018-10-28 19:18:30,371  or use the --use-display flag
    19182018-10-28 19:18:30,371
    20 
    2119}}}
    2220
    23 From what I could make of it, xpra|firejail is trying to add a cookie to /root/.Xauthority (me) - why can't I feed a cookie to the 'test' account's Xauthority and have firejail/xpra read that? Once the app starts I can delete my copy of the cookie.
     21From what I could make of it, xpra|firejail is trying to add a cookie to {{{/root/.Xauthority}}} (me) - why can't I feed a cookie to the 'test' account's Xauthority and have firejail/xpra read that? Once the app starts I can delete my copy of the cookie.
    2422
    2523Additionally why does Xpra need to run Xvfb with permissions removed in Xwrapper.config? I can run Xvfb manually - i just need a way to feed the rendered data to Xorg - so how is Xpra doing this with auth?
    26