For an article written late last year I hoped for a little more awareness of how massive a security hole granting full, unfiltered access to the X11 server is. Granted, any sandboxing is better than none, but firefox is one of the few apps that already sandboxes itself really well, and with a blog title like that it might be good to touch upon things like nested X servers such as Xephyr.
Correct me if I'm wrong, but passing through the X socket gives a giant sandbox escape as any application can control/see any other application, including a root terminal in a GUI app.
I wish I lived in a world were you didn't have to sign contracts, lock your doors, or have X11 security. It is so fun to run xmeltdown a new user's display.
10 comments
[ 3.0 ms ] story [ 30.2 ms ] threadhttps://github.com/X11Libre/xserver/blob/master/doc/Xnamespa...
I have little experience with lxc but I guess waypipe could be an option too.