Ticket #17 (assigned defect)

Opened 5 years ago

Last modified 4 years ago

Sugar-Emulator has no access control

Reported by: morgs Owned by: marcopg
Priority: minor Milestone: 0.86
Component: sugar Version: 0.83.x
Severity: Minor Keywords: r-
Cc: luke@…, sascha_silbe Distribution/OS: Ubuntu
Bug Status: New

Description

Sugar-Emulator uses the '-ac' flag in the Xephyr command line, with turns off access control.

This means that anyone on the network can attach to the display/keyboard/mouse and interfer with the operation of Sugar (such as running xeyes, which goes full screen and can not be cancelled!).

Reported on Ubuntu at  https://bugs.launchpad.net/ubuntu/+source/sugar/+bug/296604

Attachments

emulator.py.patch Download (1.0 KB) - added by morgs 5 years ago.
Patch from Ubuntu ticket - Simon Mungewell
xauth.diff Download (1.6 KB) - added by lfaraone 5 years ago.
git-diff of the patch fitted for upstream sugar

Change History

Changed 5 years ago by morgs

Patch from Ubuntu ticket - Simon Mungewell

Changed 5 years ago by lfaraone

  • cc luke@… added

Ubuntu:
"""
Slight problem with patch, 1 in 16 chance that xauth will fail as leading 0 is dropped, new to python so don't know how to fix this....

[...]
--
DEBUG:sugar-emulator:Xauth command: xauth add :3 . a3dd93f39f280dad34d58d6f301a84f
xauth: (argv):1: key contains odd number of or non-hex characters
--

Simon.
"""

Changed 5 years ago by lfaraone

  • owner changed from marcopg to lfaraone
  • status changed from new to accepted

Changed 5 years ago by lfaraone

  • keywords r? added
  • owner changed from lfaraone to marcopg
  • status changed from accepted to assigned

Changed 5 years ago by lfaraone

git-diff of the patch fitted for upstream sugar

Changed 4 years ago by mungewell

The testing of len < 32 is a bit of a nasty way to compensate for leading '0's

Slightly better way of fixing leading zeros...

change
'%s' % hex(random.getrandbits(128))[2:-1]
for
'%032X' % random.getrandbits(128)

and then you don't need the test for lenght.
Mungewell.

Changed 4 years ago by marcopg

  • keywords r- added; r? removed

What about using mcookie? From man:

mcookie generates a 128-bit random hexadecimal number for use with the X authority system. Typical usage:
xauth add :0 . ‘mcookie‘

Changed 4 years ago by marcopg

  • distribution set to Ubuntu
  • status_field set to New
  • severity set to Minor
  • version set to 0.83.x
  • milestone set to 0.86

Changed 4 years ago by sascha_silbe

  • cc sascha_silbe added

Changed 4 years ago by RafaelOrtiz

Maybe mstone work can be used as a reference to fix this.

 http://wiki.sugarlabs.org/go/Talk:Development_Team/Chroot

Note: See TracTickets for help on using tickets.