Opened 12 years ago

Closed 8 years ago

Last modified 7 years ago

#17 closed defect (obsolete)

Sugar-Emulator has no access control

Reported by: morgs Owned by: marcopg
Priority: minor Milestone:
Component: Sugar Version: 0.83.x
Severity: Minor Keywords: r-
Cc: luke@…, sascha_silbe Distribution/OS: Ubuntu
Bug Status: New

Description

Sugar-Emulator uses the '-ac' flag in the Xephyr command line, with turns off access control.

This means that anyone on the network can attach to the display/keyboard/mouse and interfer with the operation of Sugar (such as running xeyes, which goes full screen and can not be cancelled!).

Reported on Ubuntu at https://bugs.launchpad.net/ubuntu/+source/sugar/+bug/296604

Attachments (2)

emulator.py.patch (974 bytes) - added by morgs 12 years ago.
Patch from Ubuntu ticket - Simon Mungewell
xauth.diff (1.6 KB) - added by lfaraone 12 years ago.
git-diff of the patch fitted for upstream sugar

Download all attachments as: .zip

Change History (12)

Changed 12 years ago by morgs

Patch from Ubuntu ticket - Simon Mungewell

comment:1 Changed 12 years ago by lfaraone

  • Cc luke@… added

Ubuntu:
"""
Slight problem with patch, 1 in 16 chance that xauth will fail as leading 0 is dropped, new to python so don't know how to fix this....

[...]
--
DEBUG:sugar-emulator:Xauth command: xauth add :3 . a3dd93f39f280dad34d58d6f301a84f
xauth: (argv):1: key contains odd number of or non-hex characters
--

Simon.
"""

comment:2 Changed 12 years ago by lfaraone

  • Owner changed from marcopg to lfaraone
  • Status changed from new to accepted

comment:3 Changed 12 years ago by lfaraone

  • Keywords r? added
  • Owner changed from lfaraone to marcopg
  • Status changed from accepted to assigned

Changed 12 years ago by lfaraone

git-diff of the patch fitted for upstream sugar

comment:4 Changed 12 years ago by mungewell

The testing of len < 32 is a bit of a nasty way to compensate for leading '0's

Slightly better way of fixing leading zeros...

change
'%s' % hex(random.getrandbits(128))[2:-1]
for
'%032X' % random.getrandbits(128)

and then you don't need the test for lenght.
Mungewell.

comment:5 Changed 12 years ago by marcopg

  • Keywords r- added; r? removed

What about using mcookie? From man:

mcookie generates a 128-bit random hexadecimal number for use with the X authority system. Typical usage:
xauth add :0 . ‘mcookie‘

comment:6 Changed 12 years ago by marcopg

  • Bug Status set to New
  • Distribution/OS set to Ubuntu
  • Milestone set to 0.86
  • Severity set to Minor
  • Version set to 0.83.x

comment:7 Changed 12 years ago by sascha_silbe

  • Cc sascha_silbe added

comment:8 Changed 12 years ago by RafaelOrtiz

Maybe mstone work can be used as a reference to fix this.

http://wiki.sugarlabs.org/go/Talk:Development_Team/Chroot

comment:9 Changed 8 years ago by godiard

  • Resolution set to obsolete
  • Status changed from assigned to closed

sugar-emulator not used anymore

comment:10 Changed 7 years ago by dnarvaez

  • Milestone 0.86 deleted

Milestone 0.86 deleted

Note: See TracTickets for help on using tickets.