lxroot icon indicating copy to clipboard operation
lxroot copied to clipboard

Published 20 hours ago verified publisher icon parke

Lxroot fails to detect insufficient Xorg display sharing permissions

Open ArdvarkDev opened this issue 2 years ago • 6 comments

the -x option maybe should automatically run xhost + local:?

Source

alacritty, firefox and discord won't launch without doing it on the host system first. I am not aware of the implications of that command, so take this with a grain of salt.

ArdvarkDev avatar Jan 09 '22 08:01 ArdvarkDev

Thanks for the report. I fix this issue on my system once per reboot. And then I forget about it. And I reboot very rarely.

I believe there are much less permissive solutions than xhost + local:.

I will write more later today, as I don't have time right now.

parke avatar Jan 09 '22 18:01 parke

I think there are at least three relevant methods to grant permission to share the X display. Ordered from "most secure" to "least secure", they are:

  • Copy $HOME/.Xauthority from the host into the guest
  • Run xhost + SI:localuser:$USER
  • Run xhost + local:

lxroot's design follows the following principles:

  • lxroot itself never makes changes to your system
  • lxroot defaults towards secure behavior

Consequently, lxroot will not fix this problem. However, I do believe that lxroot should detect the problem and print a warning. When connected to a terminal, I believe lxroot should also pause execution until the user acknowledges the warning by pressing the Enter key.

vland's design principles are different. vland should do everything reasonable to maximize convenience. Therefore, I think that vland should behave as follows. When -x is specified, vland should copy $HOME/.Xauthority from the host into the guest.

Please let me know if you have any additional comments or suggestions. I hope to implement the vland change within the next week or two. I hope implement the lxroot change within the next month or two.

parke avatar Jan 10 '22 01:01 parke

Copying the Xauthority into the guest doesn't change the system itself, right? I think that including it in lxroot would be nice, but I can see your point.

ArdvarkDev avatar Jan 10 '22 02:01 ArdvarkDev

I consider all files on the host to be part of the host. Including any files that happen to be inside a directory that may happen to be the newroot for some guest.

Update: I guess to be precise, I should phrase the principle as follows: "Lxroot itself never makes changes to the host, nor to the guest." (I probably will be willing to make an exception in the case where the user explicitly confirms, via a terminal prompt, a suggested change.)

parke avatar Jan 10 '22 02:01 parke

Perhaps lxroot could prompt the user to automatically copy if it detects the absence of a connection?

ArdvarkDev avatar Jan 10 '22 02:01 ArdvarkDev

Prompting to copy is worth considering.

Another interesting question is: How to detect the current permissions? What is the simplest external program to run to check whether or not sufficient permission already exists?

Update: It appears that xset -q might be a good probe.
Source: https://serverfault.com/a/59216

parke avatar Jan 10 '22 03:01 parke

I've pushed what may become version 0.22.1 to master. When appropriate, lxroot will ask for permission to copy /etc/resolv.conf and ~/.Xauthority into newroot.

If you would like to test these improvements, please let me know how it goes.

If these changes work for you (or if I don't hear from you for several days), I may go ahead and create a release of 0.22.1 on GitHub.

Thanks!

parke avatar Aug 22 '22 21:08 parke