[Discuss] memory management
Mike Small
smallm at SDF.ORG
Thu Jun 25 16:44:32 EDT 2015
On Thu, Jun 25, 2015 at 02:32:24PM -0500, Derek Martin wrote:
> On Sun, Jun 21, 2015 at 03:18:03PM +0200, Bill Bogstad wrote:
> > On Sun, Jun 21, 2015 at 1:10 PM, Jerry Feldman <gaf at blu.org> wrote:
>
> > I'm curious though, how this other user account gains access to your
> > X server. Allowing other user ids to write on your screen/capture
> > key & mouse events seem to me to be a potential issue.
>
> Only if someone else can log in as that user.
>
> It's been my experience that I didn't need to fix display access, but
> maybe it's because typically I'm switching to root. But if you need
> to, it's not hard... just arcane.
...
> xauth add myhost/unix:0 MIT-MAGIC-COOKIE-1 <cookie_value>
>
> Should now work fine, without allowing access to anyone else on the
> box. Just tested it in my Ubuntu VM, closed WORKSFORME. ;-)
I figured Bill was concerned with an exploit owning firefox and
being able to run arbitrary code as that user. Arbitrary code would
include Xlib calls so they're home free. You'd need to give your
unprivileged user untrusted access to the xserver to be safer. See
xauth(1), the generate command and the untrusted argument to it.
That brings the SECURITY extension into play, restricting their
access to the XServer and limiting which X extensions can be used.
Give it a try, but I'm not sure you'll be happy with the resulting
behaviour of firefox or your ability to use the clipboard or
selection. There's also something called XACE, but I couldn't
make heads or tails of it. Sounds like SELinux in terms of
complexity.
On the memory topic, I tried dillo this morning again. VSZ around 4MB,
but maybe not up to most of what you'd want to throw at it. It may
be loading everything sequentially in a single thread too. Pretty
slow bringing up pages compared to firefox (when not swapping).
--
smallm at sdf.org
SDF Public Access UNIX System - http://sdf.org
More information about the Discuss
mailing list