From 6b1012c29c2eee95c6ea2ef63b0e5dc628a6cb7f Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Tue, 20 Jul 2021 15:55:26 -0400 Subject: Allow client to force server to terminate if it exits This is intended to be used by screen lockers, where the server must exit if the screen locker does, to avoid a security hole. As suggested by Alan Coopersmith, this is implemented using a new flag for the disconnect mode of the XFixes extension. Includes wording suggestions from Peter Hutterer. Signed-off-by: Demi Marie Obenour --- fixesproto.pc.in | 2 +- fixesproto.txt | 32 +++++++++++++++++++++++++++++--- include/X11/extensions/xfixeswire.h | 5 +++++ 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/fixesproto.pc.in b/fixesproto.pc.in index 05917d8..34143c1 100644 --- a/fixesproto.pc.in +++ b/fixesproto.pc.in @@ -3,6 +3,6 @@ includedir=@includedir@ Name: FixesProto Description: X Fixes extension headers -Version: 6.0 +Version: 6.1 Cflags: -I${includedir} Requires: xextproto >= 7.0.99.1 diff --git a/fixesproto.txt b/fixesproto.txt index 28a6270..f462606 100644 --- a/fixesproto.txt +++ b/fixesproto.txt @@ -1,5 +1,5 @@ The XFIXES Extension - Version 5.0 + Version 6.1 Document Revision 1 2010-11-15 Keith Packard @@ -666,15 +666,41 @@ when the relevant X11 clients have quit. XFixesClientDisconnectFlagDefault: 0 XFixesClientDisconnectFlagTerminate: 1 << 0 + XFixesClientDisconnectFlagForceTerminate: 1 << 1 XFixesClientDisconnectFlagDefault is the default behavior for - regular clients, i.e. the X11 server won't terminate as long as such - clients are still connected. + regular clients: the X11 server won't terminate as long as such + clients are still connected and no other clients trigger + termination. XFixesClientDisconnectFlagTerminate indicates to the X11 server that it can ignore the client and terminate itself even though the client is still connected to the X11 server. + If XFixesClientDisconnectFlagForceTerminate is set at the time the + client disconnects, the X11 server MUST terminate and/or reset without + delivering further events to clients, even if other clients that have + not set XFixesClientDisconnectFlagTerminate are still connected. + Screen lockers SHOULD use this flag to ensure that the screen does not + unlock if they exit, which would create a security vulnerability. + Programs SHOULD NOT use this flag unless unexpected termination would + create a security vulnerability or other severe problem. + + Because XFixesClientDisconnectFlagForceTerminate allows the client to + cause the server to terminate, it is subject to security checks to + prevent unauthorized use. Servers that support the X Access Control + Extension (XACE) MUST deny attempts to set + XFixesClientDisconnectFlagForceTerminate, unless the client has + DixManageAccess to the server. Servers that support the SECURITY + extension MUST forbid untrusted clients from setting + XFixesClientDisconnectFlagForceTerminate. Servers MAY refuse to allow + clients to set this flag for other reasons. For instance, a server + might only allow the flag to be set by local clients. If the server + refuses to allow the client to set this flag, an Access error results. + + XFixesClientDisconnectFlagForceTerminate is only available in XFixes + versions 6.1 and better. + 13.2 Requests SetClientDisconnectMode diff --git a/include/X11/extensions/xfixeswire.h b/include/X11/extensions/xfixeswire.h index 88b43e7..83251cf 100644 --- a/include/X11/extensions/xfixeswire.h +++ b/include/X11/extensions/xfixeswire.h @@ -146,4 +146,9 @@ /* The server may disconnect this client to shut down */ #define XFixesClientDisconnectFlagTerminate (1L << 0) +/*************** Version 6.1 ******************/ + +/* The server must terminate if this client exits */ +#define XFixesClientDisconnectFlagForceTerminate (1L << 1) + #endif /* _XFIXESWIRE_H_ */ -- cgit v1.2.3