diff options
Diffstat (limited to 'specs/xextproto/security.xml')
-rw-r--r-- | specs/xextproto/security.xml | 1467 |
1 files changed, 1467 insertions, 0 deletions
diff --git a/specs/xextproto/security.xml b/specs/xextproto/security.xml new file mode 100644 index 0000000..93073c5 --- /dev/null +++ b/specs/xextproto/security.xml @@ -0,0 +1,1467 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" +[ +<!ENTITY % defs SYSTEM "defs.ent"> %defs; +]> +<!--translated from security.tex, on 2010-06-27 15:29:00, +by TeX4ht (http://www.cse.ohio-state.edu/~gurari/TeX4ht/) +xhtml,docbook,html,refcaption --> + +<book id="security"> + +<bookinfo> + <title>Security Extension Specification</title> + <subtitle>X Consortium Standard</subtitle> + <authorgroup> + <author> + <firstname>David</firstname><othername>P.</othername><surname>Wiggins</surname> + <affiliation><orgname>X Consortium</orgname></affiliation> + </author> + </authorgroup> + <releaseinfo>X Version 11, Release &fullrelvers;</releaseinfo> + <releaseinfo>Version 7.1</releaseinfo> + <copyright><year>1996</year><holder>X Consortium</holder></copyright> + +<legalnotice> +<para> +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the “Software”), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: +</para> +<para> +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. +</para> +<para> +THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN +AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +</para> +<para> +Except as contained in this notice, the name of the X Consortium shall not be +used in advertising or otherwise to promote the sale, use or other dealings +in this Software without prior written authorization from the X Consortium. +</para> +<para>X Window System is a trademark of The OpenGroup.</para> +</legalnotice> + +<pubdate>November 15, 1996</pubdate> + +</bookinfo> + +<chapter id='Introduction'> +<title>Introduction</title> + +<para> +The Security extension contains new protocol needed to provide enhanced X +server security. The Security extension should not be exposed to untrusted +clients (defined below). +</para> + +</chapter> + +<chapter id='Requests'> +<title>Requests</title> + +<sect1 id='SecurityQueryVersion'> +<title>SecurityQueryVersion</title> +<para> +This request returns the major and minor version numbers of this extension. +</para> + +<para>SecurityQueryVersion</para> + +<informaltable frame='none'> + <?dbfo keep-together="always" ?> + <tgroup cols='2' align='left' colsep='0' rowsep='0'> + <colspec colname='c1' colwidth="1.0*"/> + <colspec colname='c2' colwidth="1.5*"/> + <tbody> + <row> + <entry> + <para>client-major-version</para> + </entry> + <entry> + <para>CARD16</para> + </entry> + </row> + <row> + <entry> + <para>client-minor-version</para> + </entry> + <entry> + <para>CARD16</para> + </entry> + </row> + <row> + <entry> + <para>=></para> + </entry> + </row> + <row> + <entry> + <para>server-major-version</para> + </entry> + <entry> + <para>CARD16</para> + </entry> + </row> + <row> + <entry> + <para>server-minor-version</para> + </entry> + <entry> + <para>CARD16</para> + </entry> + </row> + </tbody> + </tgroup> +</informaltable> + +<para> +The client-major-version and client-minor-version numbers indicate what +version of the protocol the client wants the server to implement. The +server-major-version and the server-minor-version numbers returned +indicate the protocol this extension actually supports. This might not +equal the version sent by the client. An implementation can (but need not) +support more than one version simultaneously. The server-major-version +and server-minor-version allow the creation of future revisions of the +Security protocol that may be necessary. In general, the major version +would increment for incompatible changes, and the minor version would +increment for small, upward-compatible changes. Servers that support +the protocol defined in this document will return a server-major-version +of one (1), and a server-minor-version of zero (0). +</para> + +<para> +Clients using the Security extension must issue a SecurityQueryVersion +request before any other Security request in order to negotiate a compatible +protocol version; otherwise, the client will get undefined behavior +(Security may or may not work). +</para> +</sect1> + +<sect1 id='SecurityGenerateAuthorization'> +<title>SecurityGenerateAuthorization</title> + +<para> +This request causes the server to create and return a new authorization with +specific characteristics. Clients can subsequently connect using the new +authorization and will inherit some of the characteristics of the +authorization. +</para> + +<para> +SecurityGenerateAuthorization +</para> +<informaltable frame='none'> + <?dbfo keep-together="always" ?> + <tgroup cols='2' align='left' colsep='0' rowsep='0'> + <colspec colname='c1' colwidth="1.0*"/> + <colspec colname='c2' colwidth="1.5*"/> + <tbody> + <row> + <entry> + <para>authorization-protocol-name</para> + </entry> + <entry> + <para>STRING8</para> + </entry> + </row> + <row> + <entry> + <para>authorization-protocol-data</para> + </entry> + <entry> + <para>STRING8</para> + </entry> + </row> + <row> + <entry> + <para>value-mask</para> + </entry> + <entry> + <para>BITMASK</para> + </entry> + </row> + <row> + <entry> + <para>value-list</para> + </entry> + <entry> + <para>LISTofVALUE</para> + </entry> + </row> + <row> + <entry> + <para>=></para> + </entry> + <entry> + </entry> + </row> + <row> + <entry> + <para>authorization-id</para> + </entry> + <entry> + <para>AUTHID</para> + </entry> + </row> + <row> + <entry> + <para>authorization-data-return</para> + </entry> + <entry> + <para>STRING8</para> + </entry> + </row> + </tbody> + </tgroup> +</informaltable> + +<para> +Errors: <function>AuthorizationProtocol</function>, <function>Value</function>, <function>Alloc</function> +</para> + +<para> +authorization-protocol-name is the name of the authorization method for +which the server should generate a new authorization that subsequent +clients can use to connect to the server. If the authorization-protocol-name +is not one that the server supports, or if authorization-protocol-data +does not make sense for the given authorization-protocol-name, an +AuthorizationProtocol error results. +</para> + +<para> +authorization-protocol-data is authorization-method specific data that can +be used in some way to generate the authorization. +</para> + +<note><para> +In this version of the extension, the only authorization method +required to be supported is "MIT-MAGIC-COOKIE-1" with any amount +of authorization-protocol-data (including none). The server may use the +authorization-protocol-data as an additional source of randomness used +to generate the authorization. Other authorization methods can supply +their own interpretation of authorization-protocol-data. +</para></note> + +<para> +The value-mask and value-list specify attributes of the authorization +that are to be explicitly initialized. The possible values are: +</para> + +<informaltable frame='topbot'> + <?dbfo keep-together="always" ?> + <tgroup cols='3' align='left' colsep='0' rowsep='0'> + <colspec colname='c1' colwidth="1.0*"/> + <colspec colname='c2' colwidth="1.0*"/> + <colspec colname='c3' colwidth="1.0*"/> + <thead> + <row rowsep='1'> + <entry>Attribute</entry> + <entry>Type</entry> + <entry>Default</entry> + </row> + </thead> + <tbody> + <row> + <entry> + <para>timeout</para> + </entry> + <entry> + <para>CARD32</para> + </entry> + <entry> + <para>60</para> + </entry> + </row> + <row> + <entry> + <para>group</para> + </entry> + <entry> + <para>XID or None</para> + </entry> + <entry> + <para>None</para> + </entry> + </row> + <row> + <entry> + <para>trust-level</para> + </entry> + <entry> + <para>{SecurityClientTrusted,</para> + </entry> + </row> + <row> + <entry> + <para></para> + </entry> + <entry> + <para>SecurityClientUntrusted}</para> + </entry> + <entry> + <para>SecurityClientUntrusted</para> + </entry> + </row> + <row> + <entry> + <para>event-mask</para> + </entry> + <entry> + <para>SecurityAuthorizationRevoked,</para> + </entry> + </row> + <row rowsep="1"> + <entry> + <para></para> + </entry> + <entry> + <para>or None</para> + </entry> + <entry> + <para>None</para> + </entry> + </row> + </tbody> + </tgroup> +</informaltable> + +<para> +timeout is the timeout period in seconds for this authorization. A +timeout value of zero means this authorization will never expire. For +non-zero timeout values, when timeout seconds have elapsed since the +last time that the authorization entered the state of having no +connections authorized by it, and if no new connections used the +authorization during that time, the authorization is automatically purged. +(Note that when an authorization is created, it enters the state of having no +connections authorized by it.) Subsequent connection attempts using that +authorization will fail. This is to facilitate "fire and forget" launching of +applications. +</para> + +<para> +group is an application group ID as defined by the Application Group +extension, or None. Any other values will cause a Value error. When a +group is destroyed, all authorizations specifying that group are revoked +as described under the SecurityRevokeAuthorization request. The Application +Group extension attaches additional semantics to the group. +</para> + +<para> +trust-level tells whether clients using the authorization are trusted or +untrusted. If trust-level is not one of the constants SecurityClientTrusted +or SecurityClientUntrusted, a Value error results. +</para> + +<para> +event-mask defines which events the client is interested in for this +authorization. When the authorization expires or is revoked if event-mask +contains SecurityAuthorizationRevoked a SecurityAuthorizationRevoked event +is reported to the client. +</para> + +<para> +The SecurityAuthorizationRevoked event contains the following field: +</para> + +<informaltable frame='topbot'> + <?dbfo keep-together="always" ?> + <tgroup cols='2' align='left' colsep='0' rowsep='0'> + <colspec colname='c1' colwidth="1.0*"/> + <colspec colname='c2' colwidth="1.5*"/> + <thead> + <row rowsep="1"> + <entry>Field</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry> + <para>authorization-id</para> + </entry> + <entry> + <para>AUTHID</para> + </entry> + </row> + </tbody> + </tgroup> +</informaltable> + +<para> +where authorization-id is the identification of the authorization that was +revoked. +</para> +<para> +If an invalid value-mask is specified, a Value error occurs. +</para> + +<para> +The returned authorization-id is a non-zero value that uniquely identifies +this authorization for use in other requests. The value space for type +AUTHID is not required to be disjoint from values spaces of other core +X types, e.g. resource ids, atoms, visual ids, and keysyms. Thus, a given +numeric value might be both a valid AUTHID and a valid atom, for example. +</para> + +<para> +authorization-data-return is the data that a client should use in some +authorization-method-specific way to make a connection with this +authorization. For "MIT-MAGIC-COOKIE-1," authorization-data-return should +be sent as the authorization-protocol-data in the connection setup message. +It is not required that other authorization methods use +authorization-data-return this way. +</para> + +</sect1> + +<sect1 id='SecurityRevokeAuthorization'> +<title>SecurityRevokeAuthorization</title> + +<para> +This request deletes an authorization created by SecurityGenerateAuthorization. +</para> + +<para> +SecurityRevokeAuthorization +</para> + +<informaltable frame='none'> + <?dbfo keep-together="always" ?> + <tgroup cols='2' align='left' colsep='0' rowsep='0'> + <colspec colname='c1' colwidth="1.0*"/> + <colspec colname='c2' colwidth="1.5*"/> + <tbody> + <row> + <entry> + <para><emphasis remap='I'>authorization-id</emphasis></para> + </entry> + <entry> + <para>AUTHID</para> + </entry> + </row> + </tbody> + </tgroup> +</informaltable> + +<para> +Errors: <function>Authorization</function> +</para> + +<para> +If authorization-id does not name a valid authorization, an Authorization +error occurs. Otherwise, this request kills all clients currently connected +using the authorization specified by authorization-id. The authorization is +deleted from the server's database, so future attempts by clients to connect +with this authorization will fail. +</para> + +</sect1> +</chapter> + +<chapter id='Changes_to_Core_Requests'> +<title>Changes to Core Requests</title> + +<para> +A server supporting this extension modifies the handling of some core +requests in the following ways. +</para> +<sect1 id='Resource_ID_Usage'> +<title>Resource ID Usage</title> + +<para> +If an untrusted client makes a request that specifies a resource ID that is +not owned by another untrusted client, a protocol error is sent to the +requesting client indicating that the specified resource does not exist. +The following exceptions apply. An untrusted client can: +</para> + +<orderedlist> + <listitem> + <para> +use the QueryTree, GetGeometry, and TranslateCoordinates requests +without restriction. + </para> + </listitem> + <listitem> + <para> +use colormap IDs that are returned in the default-colormap field of its +connection setup information in any colormap requests. + </para> + </listitem> + <listitem> + <para>specify a root window as:</para> + <orderedlist> + <listitem> + <para> +the drawable field of CreatePixmap, CreateGC, and QueryBestSize. + </para> + </listitem> + <listitem> + <para>the parent field of CreateWindow.</para> + </listitem> + <listitem> + <para> +the window field of CreateColormap, ListProperties, and GetWindowAttributes. + </para> + </listitem> + <listitem> + <para>the grab-window or confine-to fields of GrabPointer. + </para> + </listitem> + <listitem> + <para>the grab-window field of UngrabButton.</para> + </listitem> + <listitem> + <para> +the destination of SendEvent, but only if all of the following are true. +(These conditions cover all the events that the ICCCM specifies with +a root window destination.) + </para> + <orderedlist> + <listitem> + <para>The propogate field of SendEvent is False.</para> + </listitem> + <listitem> + <para> +The event-mask field of SendEvent is ColormapChange, +StructureNotify, or the logical OR of SubstructureRedirect with +SubstructureNotify. + </para> + </listitem> + <listitem> + <para> +The event type being sent is UnmapNotify, ConfigureRequest, or +ClientMessage. + </para> + </listitem> + </orderedlist> + </listitem> + <listitem> + <para> +the window field of ChangeWindowAttributes, but only if the value-mask +contains only event-mask and the corresponding value is StructureNotify, +PropertyChange, or the logical OR of both. + </para> + </listitem> + </orderedlist> + </listitem> +</orderedlist> + +<note> +<para> +ISSUE: are root window exceptions needed for these? WarpPointer, ReparentWindow +(parent), CirculateWindow, QueryPointer (emacs does this), GetMotionEvents. +</para> +</note> + +</sect1> +<sect1 id='Extension_Security'> +<title>Extension Security</title> + +<para> +This extension introduces the notion of secure and insecure extensions. A +secure extension is believed to be safe to use by untrusted clients; that +is, there are no significant security concerns known that an untrusted +client could use to destroy, modify, or steal data of trusted clients. This +belief may be founded on a careful analysis of the extension protocol, +its implementation, and measures taken to "harden" the extension to close +security weaknesses. All extensions not considered secure are called +insecure. The implementation details of how an extension is identified as +secure or insecure are beyond the scope of this specification. +</para> + +<para> +<function>ListExtensions</function> will only return names of secure +extensions to untrusted clients. +</para> + +<para> +If an untrusted client uses <function>QueryExtension</function> on an +insecure extension that the server supports, the reply will have the +present field set to False and the major-opcode field set to zero to +indicate that the extension is not supported. +</para> + +<para> +If an untrusted client successfully guesses the major opcode of an +insecure extension, attempts by it to execute requests with that major +opcode will fail with a Request error. +</para> + +</sect1> + +<sect1 id='Keyboard_Security'> +<title>Keyboard Security</title> + + +<para> +The protocol interpretation changes in this section are intended to prevent +untrusted applications from stealing keyboard input that was meant for +trusted clients and to prevent them from interfering with the use of the +keyboard. +</para> + +<para> +The behavior of some keyboard-related requests and events is modified when +the client is untrusted depending on certain server state at the time of +request execution or event generation. Specifically, if a hypothetical +keyboard event were generated given the current input focus, pointer +position, keyboard grab state, and window event selections, and if that +keyboard event would not be delivered to any untrusted client, the +following changes apply: +</para> + +<orderedlist> + <listitem> + <para> +The bit vector representing the up/down state of the keys returned by +<function>QueryKeymap</function> and +<function>KeymapNotify</function> is all zeroes. + </para> + </listitem> + <listitem> + <para>GrabKeyboard returns a status of AlreadyGrabbed.</para> + </listitem> + <listitem> + <para> +<function>SetInputFocus</function> does nothing. Note that this means the +Globally Active +Input and WM_TAKE_FOCUS mechanisms specified in the ICCCM will +not work with untrusted clients. + </para> + </listitem> + <listitem> + <para> +Passive grabs established by GrabKey that would otherwise have activated +do not activate. + </para> + </listitem> +</orderedlist> + +<para> +If an untrusted client attempts to use any of the following requests, the +only effect is that the client receives an Access error: SetModifierMapping, +ChangeKeyboardMapping, ChangeKeyboardControl. +</para> + +<para> +If an InputOnly window owned by an untrusted client has a parent owned by a +trusted client, all attempts to map the window will be ignored. This includes +mapping attempts resulting from MapWindow, MapSubwindows, ReparentWindow, +and save-set processing. +</para> +<para> +However, if the parent of an InputOnly window owned by an untrusted client +is the root window, attempts to map that window will be performed as +expected. This is in line with the root window exceptions above. +</para> +</sect1> + +<sect1 id='Image_Security'> +<title>Image Security</title> + +<para> +It should be impossible for an untrusted client to retrieve the image +contents of a trusted window unless a trusted client takes action to allow +this. We introduce the following defenses in support of this requirement. +</para> + +<para> +The restrictions on resource ID usage listed above prevent untrusted clients +from using GetImage directly on windows not belonging to trusted clients. +</para> + +<para> +If an untrusted client tries to set the background-pixmap attribute of an +untrusted window to None, the server will instead use a server-dependent +background which must be different than None. +</para> + +<para> +The X protocol description of <function>GetImage</function> states that the +returned contents of regions of a window obscured by noninferior windows are +undefined if the window has no backing store. Some implementations return the +contents of the obscuring windows in these regions. When an untrusted client +uses <function>GetImage</function>, this behavior is forbidden; the server must +fill the obscured regions in the returned image with a server-dependent pattern. +</para> + +<para> +If an untrusted window has trusted inferiors, their contents are vulnerable +to theft via <function>GetImage</function> on the untrusted parent, as well +as being vulnerable to destruction via drawing with subwindow-mode +IncludeInferiors on the untrusted parent. An untrusted window having trusted +inferiors can only occur at the request of a trusted client. It is expected +to be an unusual configuration. +</para> + +</sect1> + +<sect1 id='Property_Security'> +<title>Property Security</title> + +<para> +Unlike the other security provisions described in this document, security for +property access is not amenable to a fixed policy because properties are +used for inter-client communication in diverse ways and may contain data of +varying degrees of sensitivity. Therefore, we only list the possible +restrictions the server may decide to impose on use of properties on trusted +windows by untrusted clients. How the server chooses which restrictions from +this list to apply to a particular property access is implementation dependent + <footnote><para> +In the X Consortium server implementation, property access is controlled by +a configuration file; see the -sp option in the Xserver(1) manual page. + </para></footnote>. +</para> + +<para>The X Protocol property requests are +<function>ChangeProperty</function>, +<function>GetProperty</function>, +<function>DeleteProperty</function>, +<function>RotateProperties</function>, and +<function>ListProperties</function>. For these requests, the server can +allow the request to execute normally (as if it had been issued by a +trusted client), ignore the request completely (as if it were a NoOperation), +or ignore the request except to send an Atom error to the client. Ignoring +a <function>ListProperties</function> request means replying that +the window has no properties. <function>ListProperties</function> may also +reply with a subset of the existing properties if the server is doing +property hiding; see below. An ignored <function>GetProperty</function> +request may reply that the property does not exist, or that it exists but +contains no data. +</para> + +<para> +The server may decide to hide certain properties on certain windows from +untrusted clients + <footnote><para> +The X Consortium server implementation does not currently provide a way to +hide properties. + </para></footnote>. +If a property is to be hidden, it must be done consistently to avoid +confusing clients. This means that for untrusted clients: +</para> + +<itemizedlist> + <listitem> + <para> +That property should not be returned by +<function>ListProperties</function>. + </para> + </listitem> + <listitem> + <para> +<function>PropertyNotify</function> events should not be sent for that +property.</para> + </listitem> + <listitem> + <para> +<function>GetProperty</function> on that property should reply that the +property does not exist (the return type is None, the format and +bytes-after are zero, and the value is empty). + </para> + </listitem> +</itemizedlist> + +<para> +For a property that the server is protecting but not hiding, consistency +must also be maintained: +</para> + +<itemizedlist> + <listitem> + <para> +That property should be returned by <function>ListProperties</function>. + </para> + </listitem> + <listitem> + <para> +<function>PropertyNotify</function> events should be sent for that property. + </para> + </listitem> + <listitem> + <para> +<function>GetProperty</function> on that property should reply that the +property exists (if it really does) but the value is empty +(return type and format are their real values, and the "length of value" +field in the reply is zero). + </para> + </listitem> +</itemizedlist> + +</sect1> + +<sect1 id='Miscellaneous_Security'> +<title>Miscellaneous Security</title> + +<para> +If an untrusted client attempts to use +<function>ChangeHosts</function>, +<function>ListHosts</function>, or +<function>SetAccessControl</function>, +the only effect is that the client receives an Access error. +</para> + +<para> +If an untrusted client attempts to use <function>ConvertSelection</function> +on a selection with a trusted selection owner window, the server generates +a SelectionNotify event to the requestor with property None. +</para> +</sect1> +</chapter> + +<chapter id='New_Authorization_Method'> +<title>New Authorization Method</title> + +<para> +This extension includes a new authorization method named +"XC-QUERY-SECURITY-1". Its purpose is to allow an external agent such as +the X firewall proxy to probe an X server to determine whether that server +meets certain security criteria without requiring the agent to have its +own authorization for that server. The agent may use the returned information +to make a decision. For example, the X firewall proxy may choose not to +forward client connections to servers that do not meet the criteria. +</para> + +<para> +To use this authorization method, the client (or proxy) sends +"XC-QUERY-SECURITY-1" as the authorization-protocol-name in the initial +connection setup message. The authorization-protocol-data may be empty or +may contain additional security criteria desribed below. If the success +field of the server's reply is Authenticate, the server supports the +security extension, and the server meets all specified additional security +criteria. In this case, the client should resend the initial connection +setup message substituting the authorization protocol name and data +that should be used to authorize the connection. If the success field of the +server's reply is anything other than Authenticate, either the server does not +support the security extension, does not meet (or cannot determine if it +meets) all of the additional security criteria, or chooses for internal reasons +not to answer with Authenticate. In this case, the client should close the +connection. +</para> + +<para> +If the authorization-protocol-data sent with "XC-QUERY-SECURITY-1" is not +empty, it specifies additional security criteria for the server to check, as +follows. +</para> + +<para> +<function>authorization-protocol-data</function> +</para> + +<informaltable frame='none'> + <?dbfo keep-together="always" ?> + <tgroup cols='2' align='left' colsep='0' rowsep='0'> + <colspec colname='c1' colwidth="1.0*"/> + <colspec colname='c2' colwidth="1.5*"/> + <tbody> + <row> + <entry> + <para>policy-mask</para> + </entry> + <entry> + <para>BITMASK</para> + </entry> + </row> + <row> + <entry> + <para>policies</para> + </entry> + <entry> + <para>LISTofSECURITYPOLICY</para> + </entry> + </row> + </tbody> + </tgroup> +</informaltable> + +<para> +The policy-mask field is any logical-OR combination of the constants +Extensions and SitePolicies. For each bit set in policy-mask, there is a +SECURITYPOLICY element in policies. The nth element in policies corresponds +to the nth 1-bit in policy-mask, counting upward from bit 0. +</para> + +<para><function>SECURITYPOLICY</function></para> + +<informaltable frame='none'> + <?dbfo keep-together="always" ?> + <tgroup cols='2' align='left' colsep='0' rowsep='0'> + <colspec colname='c1' colwidth="1.0*"/> + <colspec colname='c2' colwidth="1.5*"/> + <tbody> + <row> + <entry> + <para>policy-type</para> + </entry> + <entry> + <para>{Disallow, Permit}</para> + </entry> + </row> + <row> + <entry> + <para>names</para> + </entry> + <entry> + <para>LISTofSTR</para> + </entry> + </row> + </tbody> + </tgroup> +</informaltable> + +<para> +For a SECURITYPOLICY corresponding to policy-mask Extensions, if +policy-type is Disallow the server is required to consider as insecure +all extensions given in names. No policy is specified for extensions +not listed in names. If policy-type is Permit the server may consider +only those extensions given in names to be secure; all other extensions +must be treated as insecure. If these constraints are not met, the server +should not return Authenticate in the success field of the reply. +Servers can but need not dynamically configure themselves in response +to an Extensions SECURITYPOLICY; a conforming server might simply compare +the policy with a compiled-in table of extensions and their security status. +</para> + +<para> +For a SECURITYPOLICY corresponding to policy-mask SitePolicies, policy-type +Disallow means the server must not have been configured with any of the site +policies given in names. Policy-type Permit means the server must have +been configured with at least one of the site policies given in names. If +these constraints are not met, the server should not return Authenticate in +the success field of the reply. +</para> + +<para> +SitePolicies provide a way to express new forms of security-relevant +information that could not be anticipated at the time of this writing. +For example, suppose the server is found to have a critical security defect. +When a fix is developed, a site policy string could be associated with the +fix. Servers with the fix would advertise that site policy, and the X +firewall proxy would specify that site policy in a SECURITYPOLICY with +policy-type Permit. +</para> + +</chapter> + +<chapter id='Encoding'> +<title>Encoding</title> + +<para> +Please refer to the X11 Protocol Encoding document as this section +uses syntactic conventions and data types established there. +</para> + +<para> +The name of this extension is "SECURITY". +</para> + +<sect1 id='Types'> +<title>Types</title> +<para> +AUTHID: CARD32 +</para> +</sect1> + +<sect1 id='Request_Encoding'> +<title>Request Encoding</title> + +<para> +SecurityQueryVersion +</para> +<literallayout remap='FD'> +1 CARD8 major-opcode +1 0 minor-opcode +2 2 request length +2 CARD16 client-major-version +2 CARD16 client-minor-version +=> +1 1 Reply +1 unused +2 CARD16 sequence number +4 0 reply length +2 CARD16 server-major-version +2 CARD16 server-minor-version +20 unused +</literallayout> + +<para> +<function>SecurityRevokeAuthorization</function> +</para> + +<literallayout remap='FD'> +1 CARD8 major-opcode +1 2 minor-opcode +2 2 request length +4 AUTHID authorization-id +</literallayout> + +<para> +SecurityGenerateAuthorization +</para> + +<literallayout remap='FD'> +1 CARD8 major-opcode +1 1 minor-opcode +2 3 + (m+n+3)/4 + s request length +2 CARD16 m, number of bytes in authorization protocol name +2 CARD16 n, number of bytes in authorization data +m STRING8 authorization protocol name +n STRING8 authorization protocol data +p unused, p=pad(m+n) +4 BITMASK value-mask (has s bits set to 1) + #x00000001 timeout + #x00000002 trust-level + #x00000004 group + #x00000008 event-mask +4s LISTofVALUE value-list +</literallayout> + +<para> +VALUES +</para> +<literallayout remap='FD'> +4 CARD32 timeout +4 trust-level + 0 SecurityClientTrusted + 1 SecurityClientUntrusted +4 XID group +0 None +4 CARD32 event-mask + #x00000001 SecurityAuthorizationRevoked +=> +1 1 Reply +1 unused +2 CARD16 sequence number +4 (q+3)/4 reply length +4 AUTHID authorization-id +2 CARD16 data-length +18 unused +q STRING8 authorization-data-return +r unused, r=pad(q) +</literallayout> + +</sect1> + +<sect1 id='Event_Encoding'> +<title>Event Encoding</title> +<para> +<function>SecurityAuthorizationRevoked</function> +</para> + +<literallayout remap='FD'> +1 0+extension event base code +1 unused +2 CARD16 sequence number +4 AUTHID authorization id +24 unused +</literallayout> + +</sect1> + +<sect1 id='Authorization_Method_Encoding'> +<title>Authorization Method Encoding</title> + +<para> +For authorization-protocol-name "XC-QUERY-SECURITY-1", the +authorization-protocol-data is interpreted as follows: +</para> + +<para> +<function>authorization-protocol-data</function> +</para> +<literallayout remap='FD'> +1 BITMASK policy-mask + #x00000001 Extensions + #x00000002 SitePolicies +m LISTofSECURITYPOLICY policies +</literallayout> + +<para> +<function>SECURITYPOLICY</function> +</para> + +<literallayout remap='FD'> +1 policy-type + 0 Permit + 1 Disallow +1 CARD8 number of STRs in names +n LISTofSTR names +</literallayout> + +<para> +LISTofSTR has the same encoding as in the X protocol: each STR is a single +byte length, followed by that many characters, and there is no padding or +termination between STRs. +</para> +</sect1> + +</chapter> +<chapter id='C_Language_Binding'> +<title>C Language Binding</title> + +<para> +The header for this extension is <X11/extensions/security.h>. All +identifier names provided by this header begin with XSecurity. +</para> + +<para> +All functions that have return type Status will return nonzero for +success and zero for failure. +</para> + +<funcsynopsis id='XSecurityQueryExtension'> +<funcprototype> + <funcdef>Status <function>XSecurityQueryExtension</function></funcdef> + <paramdef>Display <parameter> *dpy</parameter></paramdef> + <paramdef>int <parameter> *major_version_return</parameter></paramdef> + <paramdef>int <parameter> *minor_version_return</parameter></paramdef> +</funcprototype> +</funcsynopsis> + +<para> +<xref linkend='XSecurityQueryExtension' xrefstyle='select: title'/> sets major_version_return and +minor_version_return to the major and minor Security protocol version +supported by the server. If the Security library is compatible with the +version returned by the server, it returns nonzero. If dpy does not support +the Security extension, or if there was an error during communication with +the server, or if the server and library protocol versions are incompatible, +it returns zero. No other XSecurity functions may be called before this +function. If a client violates this rule, the effects of all subsequent +XSecurity calls that it makes are undefined. +</para> + +<funcsynopsis id='XSecurityAllocXauth'> +<funcprototype> + <funcdef>Xauth *<function>XSecurityAllocXauth</function></funcdef> + <paramdef><parameter>void</parameter></paramdef> +</funcprototype> +</funcsynopsis> +<para> +In order to provide for future evolution, Xauth structures are used to +pass and return authorization data, and the library provides ways to +allocate and deallocate them. +</para> + +<para> +<xref linkend='XSecurityAllocXauth' xrefstyle='select: title'/> must be used to allocate the +Xauth structure that is passed to +<xref linkend='XSecurityGenerateAuthorization' xrefstyle='select: title'/>. +</para> + +<para> +For the purposes of the Security extension, the Xauth structure has +the following fields: +</para> + +<informaltable frame='topbot'> + <?dbfo keep-together="always" ?> + <tgroup cols='3' align='left' colsep='0' rowsep='0'> + <colspec colname='c1' colwidth="1.0*"/> + <colspec colname='c2' colwidth="1.0*"/> + <colspec colname='c3' colwidth="3.0*"/> + <thead> + <row rowsep="1"> + <entry>Type</entry> + <entry>Field name</entry> + <entry>Description</entry> + </row> + </thead> + <tbody> + <row> + <entry> + <para>unsigned short</para> + </entry> + <entry> + <para>name_length</para> + </entry> + <entry> + <para>number of bytes in name</para> + </entry> + </row> + <row> + <entry> + <para>char *</para> + </entry> + <entry> + <para>name</para> + </entry> + <entry> + <para>authorization protocol name</para> + </entry> + </row> + <row> + <entry> + <para>unsigned short</para> + </entry> + <entry> + <para>data_length</para> + </entry> + <entry> + <para>number of bytes in data</para> + </entry> + </row> + <row rowsep="1"> + <entry> + <para>char *</para> + </entry> + <entry> + <para>data</para> + </entry> + <entry> + <para>authorization protocol data</para> + </entry> + </row> + </tbody> + </tgroup> +</informaltable> +<para> +The Xauth structure returned by this function is initialized as follows: +name_length and data_length are zero, and name and data are NULL. +</para> + +<funcsynopsis id='XSecurityFreeXauth'> +<funcprototype> + <funcdef>void <function>XSecurityFreeXauth</function></funcdef> + <paramdef>Xauth<parameter> *auth</parameter></paramdef> +</funcprototype> +</funcsynopsis> + +<para> +<xref linkend='XSecurityFreeXauth' xrefstyle='select: title'/> must be used to free Xauth +structures allocated by +<xref linkend='XSecurityAllocXauth' xrefstyle='select: title'/> or returned by +<xref linkend='XSecurityGenerateAuthorization' xrefstyle='select: title'/>. It is the +caller's responsibility to fill in the name and data fields of Xauth structures +allocated with <xref linkend='XSecurityAllocXauth' xrefstyle='select: title'/>, so this function +will not attempt to free them. In contrast, all storage associated with +Xauth structures returned from +<xref linkend='XSecurityGenerateAuthorization' xrefstyle='select: title'/> will be freed by this +function, including the name and data fields. +</para> + + +<funcsynopsis id='XSecurityRevokeAuthorization'> +<funcprototype> + <funcdef>Bool <function>XSecurityRevokeAuthorization</function></funcdef> + <paramdef>Display<parameter> *dpy</parameter></paramdef> + <paramdef>XSecurityAuthorization<parameter> auth_id</parameter></paramdef> +</funcprototype> +</funcsynopsis> + +<para> +<xref linkend='XSecurityRevokeAuthorization' xrefstyle='select: title'/> deletes the authorization +specified by auth_id, which must be a value returned in the auth_id_return +parameter of <xref linkend='XSecurityGenerateAuthorization' xrefstyle='select: title'/>. All +clients that connected with that authorization are be killed. Subsequently, +clients that attempt to connect using that authorization will be refused. +</para> + + +<funcsynopsis id='XSecurityGenerateAuthorization'> +<funcprototype> + <funcdef>Xauth *<function>XSecurityGenerateAuthorization</function></funcdef> + <paramdef>Display<parameter> *dpy</parameter></paramdef> + <paramdef>Xauth<parameter> *auth_in</parameter></paramdef> + <paramdef>unsigned long<parameter> valuemask</parameter></paramdef> + <paramdef>XSecurityAutorizationAttributes <parameter> *attributes</parameter></paramdef> + <paramdef>XSecurityAutorization<parameter> *auth_id_return</parameter></paramdef> +</funcprototype> +</funcsynopsis> + +<para> +<xref linkend='XSecurityGenerateAuthorization' xrefstyle='select: title'/> creates a new +authorization with the specified attributes. The auth_in argument must be +allocated by <xref linkend='XSecurityAllocXauth' xrefstyle='select: title'/>. The +name and name_length fields of auth_in should be initialized to the +authorization protocol name and its length in characters respectively. +If there is authorization data, the data and data_length fields of +auth_in should be initialized to the data and its length in characters +respectivley. The library does not assume that name and data are +null-terminated strings. The auth_in argument must be freed with +<xref linkend='XSecurityFreeXauth' xrefstyle='select: title'/>. +</para> + +<para> +The XSecurityAuthorizationAttributes structure has the following fields: +</para> + +<informaltable frame='topbot'> + <?dbfo keep-together="always" ?> + <tgroup cols='3' align='left' colsep='0' rowsep='0'> + <colspec colname='c1' colwidth="1.0*"/> + <colspec colname='c2' colwidth="1.0*"/> + <colspec colname='c3' colwidth="3.0*"/> + <thead> + <row rowsep="1"> + <entry>Type</entry> + <entry>Field name</entry> + <entry>Mask</entry> + </row> + </thead> + <tbody> + <row> + <entry> + <para>unsigned int</para> + </entry> + <entry> + <para>trust_level</para> + </entry> + <entry> + <para>XSecurityTrustLevel</para> + </entry> + </row> + <row> + <entry> + <para>unsigned int</para> + </entry> + <entry> + <para>timeout</para> + </entry> + <entry> + <para>XSecurityTimeout</para> + </entry> + </row> + <row> + <entry> + <para>XID</para> + </entry> + <entry> + <para>group</para> + </entry> + <entry> + <para>XSecurityGroup</para> + </entry> + </row> + <row rowsep="1"> + <entry> + <para>long</para> + </entry> + <entry> + <para>event_mask</para> + </entry> + <entry> + <para>XSecurityEventMask</para> + </entry> + </row> + </tbody> + </tgroup> +</informaltable> + +<para> +These correspond to the trust-level, timeout, group, and event-mask +described in the SecurityGenerateAuthorization protocol request. The +caller can fill in values for any subset of these attributes. The valuemask +argument must be the bitwise OR of the symbols listed in the Mask column +for all supplied attributes. The event_mask attribute can be None, +XSecurityAuthorizationRevokedMask, or XSecurityAllEventMasks. In this +revision of the protocol specification XSecurityAllEventMasks is equivalent +to XSecurityAuthorizationRevokedMask. If the caller does not need to +specify any attributes, the attributes argument can be NULL, and the +valuemask argument must be zero. +</para> +<para> +If the function fails, NULL is returned and auth_id_return is filled in +with zero. Otherwise, a pointer to an Xauth structure is returned. The name +and name_length fields of the returned Xauth structure will be copies of the +name that was passed in, and the data and data_length fields will be set to +the authorization data returned by the server. The caller should not assume +that name and data are null-terminated strings. If no authorization data was +returned by the server, the data and data_length fields will be set to NULL +and zero repectively. The returned Xauth structure must be freed with +<xref linkend='XSecurityFreeXauth' xrefstyle='select: title'/>; the caller should not use any other +means free the structure or any of its components. The auth_id_return +argument will be filled in with the non-zero authorization id of the created +authorization. +</para> + +<para> +The XSecurityAuthorizationRevokedEvent structure has the following fields: +</para> + +<informaltable frame='topbot'> + <?dbfo keep-together="always" ?> + <tgroup cols='3' align='left' colsep='0' rowsep='0'> + <colspec colname='c1' colwidth="1.0*"/> + <colspec colname='c2' colwidth="1.0*"/> + <colspec colname='c3' colwidth="3.0*"/> + <thead> + <row rowsep="1"> + <entry>Type</entry> + <entry>Field name</entry> + <entry>Description</entry> + </row> + </thead> + <tbody> + <row> + <entry> + <para>int</para> + </entry> + <entry> + <para>type</para> + </entry> + <entry> + <para>event base + XSecurityAuthorizationRevoked</para> + </entry> + </row> + <row> + <entry> + <para>unsigned long</para> + </entry> + <entry> + <para>serial</para> + </entry> + <entry> + <para># of last request processed by server</para> + </entry> + </row> + <row> + <entry> + <para>Bool</para> + </entry> + <entry> + <para>send_event</para> + </entry> + <entry> + <para>true if this came from SendEvent</para> + </entry> + </row> + <row> + <entry> + <para>Display*</para> + </entry> + <entry> + <para>display</para> + </entry> + <entry> + <para>Display the event was read from</para> + </entry> + </row> + <row rowsep="1"> + <entry> + <para>XSecurityAuthorization</para> + </entry> + <entry> + <para>auth_id</para> + </entry> + <entry> + <para>revoked authorization id</para> + </entry> + </row> + </tbody> + </tgroup> +</informaltable> +</chapter> +</book> |