diff options
-rw-r--r-- | .gitignore | 2 | ||||
-rw-r--r-- | Xext/Makefile.am | 7 | ||||
-rw-r--r-- | Xext/SecurityPolicy | 86 | ||||
-rw-r--r-- | doc/Makefile.am | 2 | ||||
-rw-r--r-- | doc/SecurityPolicy.man.pre | 258 | ||||
-rw-r--r-- | doc/Xserver.man.pre | 13 |
6 files changed, 1 insertions, 367 deletions
diff --git a/.gitignore b/.gitignore index 27132c0f9..1213d9993 100644 --- a/.gitignore +++ b/.gitignore @@ -92,8 +92,6 @@ cfb32/cfbzerarcG.c cfb32/cfbzerarcX.c doc/Xserver.1x doc/Xserver.man -doc/SecurityPolicy.5 -doc/SecurityPolicy.man hw/dmx/Xdmx hw/dmx/Xdmx.1x hw/dmx/config/dmxtodmx diff --git a/Xext/Makefile.am b/Xext/Makefile.am index 6fe1c3488..f57e59910 100644 --- a/Xext/Makefile.am +++ b/Xext/Makefile.am @@ -33,9 +33,6 @@ MODULE_SRCS = \ sync.c \ xcmisc.c -# Extra configuration files ship with some extensions -SERVERCONFIG_DATA = - # Optional sources included if extension enabled by configure.ac rules # MIT Shared Memory extension @@ -86,9 +83,6 @@ endif XCSECURITY_SRCS = security.c securitysrv.h if XCSECURITY BUILTIN_SRCS += $(XCSECURITY_SRCS) - -SERVERCONFIG_DATA += SecurityPolicy -AM_CFLAGS += -DDEFAULTPOLICYFILE=\"$(SERVERCONFIGdir)/SecurityPolicy\" endif XCALIBRATE_SRCS = xcalibrate.c @@ -166,7 +160,6 @@ libXextmodule_la_SOURCES = $(MODULE_SRCS) endif EXTRA_DIST = \ - $(SERVERCONFIG_DATA) \ $(MITSHM_SRCS) \ $(XV_SRCS) \ $(RES_SRCS) \ diff --git a/Xext/SecurityPolicy b/Xext/SecurityPolicy deleted file mode 100644 index 04dfb0e6b..000000000 --- a/Xext/SecurityPolicy +++ /dev/null @@ -1,86 +0,0 @@ -version-1 - -# $Xorg: SecurityPolicy,v 1.3 2000/08/17 19:47:56 cpqbld Exp $ - -# Property access rules: -# property <property> <window> <permissions> -# <window> ::= any | root | <propertyselector> -# <propertyselector> ::= <property> | <property>=<value> -# <permissions> :== [ <operation> | <action> | <space> ]* -# <operation> :== r | w | d -# r read -# w write -# d delete -# <action> :== a | i | e -# a allow -# i ignore -# e error - -# Allow reading of application resources, but not writing. -property RESOURCE_MANAGER root ar iw -property SCREEN_RESOURCES root ar iw - -# Ignore attempts to use cut buffers. Giving errors causes apps to crash, -# and allowing access may give away too much information. -property CUT_BUFFER0 root irw -property CUT_BUFFER1 root irw -property CUT_BUFFER2 root irw -property CUT_BUFFER3 root irw -property CUT_BUFFER4 root irw -property CUT_BUFFER5 root irw -property CUT_BUFFER6 root irw -property CUT_BUFFER7 root irw - -# If you are using Motif, you probably want these. -property _MOTIF_DEFAULT_BINDINGS root ar iw -property _MOTIF_DRAG_WINDOW root ar iw -property _MOTIF_DRAG_TARGETS any ar iw -property _MOTIF_DRAG_ATOMS any ar iw -property _MOTIF_DRAG_ATOM_PAIRS any ar iw - -# If you are running CDE you also need these -property _MOTIF_WM_INFO root arw -property TT_SESSION root irw -property WM_ICON_SIZE root irw -property "SDT Pixel Set" any irw - -# The next two rules let xwininfo -tree work when untrusted. -property WM_NAME any ar - -# Allow read of WM_CLASS, but only for windows with WM_NAME. -# This might be more restrictive than necessary, but demonstrates -# the <required property> facility, and is also an attempt to -# say "top level windows only." -property WM_CLASS WM_NAME ar - -# These next three let xlsclients work untrusted. Think carefully -# before including these; giving away the client machine name and command -# may be exposing too much. -property WM_STATE WM_NAME ar -property WM_CLIENT_MACHINE WM_NAME ar -property WM_COMMAND WM_NAME ar - -# To let untrusted clients use the standard colormaps created by -# xstdcmap, include these lines. -property RGB_DEFAULT_MAP root ar -property RGB_BEST_MAP root ar -property RGB_RED_MAP root ar -property RGB_GREEN_MAP root ar -property RGB_BLUE_MAP root ar -property RGB_GRAY_MAP root ar - -# To let untrusted clients use the color management database created -# by xcmsdb, include these lines. -property XDCCC_LINEAR_RGB_CORRECTION root ar -property XDCCC_LINEAR_RGB_MATRICES root ar -property XDCCC_GRAY_SCREENWHITEPOINT root ar -property XDCCC_GRAY_CORRECTION root ar - -# To let untrusted clients use the overlay visuals that many vendors -# support, include this line. -property SERVER_OVERLAY_VISUALS root ar - -# Only trusted extensions can be used by untrusted clients -trust extension XC-MISC -trust extension BIG-REQUESTS -trust extension XpExtension diff --git a/doc/Makefile.am b/doc/Makefile.am index ce1979d4f..d3911c9bf 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -5,7 +5,7 @@ filemandir = $(FILE_MAN_DIR) # (i.e. those handled in the os/utils.c options processing instead of in # the DDX-level options processing) appman_PRE = Xserver.man.pre -fileman_PRE = SecurityPolicy.man.pre +fileman_PRE = appman_PROCESSED = $(appman_PRE:man.pre=man) fileman_PROCESSED = $(fileman_PRE:man.pre=man) diff --git a/doc/SecurityPolicy.man.pre b/doc/SecurityPolicy.man.pre deleted file mode 100644 index f5aff0c6c..000000000 --- a/doc/SecurityPolicy.man.pre +++ /dev/null @@ -1,258 +0,0 @@ -.\" Split out of Xserver.man, which was covered by this notice: -.\" Copyright 1984 - 1991, 1993, 1994, 1998 The Open Group -.\" -.\" Permission to use, copy, modify, distribute, and sell this software and its -.\" documentation for any purpose is hereby granted without fee, provided that -.\" the above copyright notice appear in all copies and that both that -.\" copyright notice and this permission notice appear in supporting -.\" documentation. -.\" -.\" The above copyright notice and this permission notice shall be included -.\" in all copies or substantial portions of the Software. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -.\" OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -.\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -.\" IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR -.\" OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -.\" ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -.\" OTHER DEALINGS IN THE SOFTWARE. -.\" -.\" Except as contained in this notice, the name of The Open Group shall -.\" not be used in advertising or otherwise to promote the sale, use or -.\" other dealings in this Software without prior written authorization -.\" from The Open Group. -.\" $XFree86: xc/programs/Xserver/Xserver.man,v 3.31 2004/01/10 22:27:46 dawes Exp $ -.\" shorthand for double quote that works everywhere. -.ds q \N'34' -.TH SecurityPolicy __filemansuffix__ __xorgversion__ -.SH NAME -SecurityPolicy \- X Window System SECURITY Extension Policy file format -.SH DESCRIPTION -The SECURITY extension to the X Window System uses a policy file to determine -which operations should be allowed or denied. The default location for this -file is -.IR __projectroot__/lib/xserver/SecurityPolicy . -.PP -The syntax of the security policy file is as follows. -Notation: "*" means zero or more occurrences of the preceding element, -and "+" means one or more occurrences. To interpret <foo/bar>, ignore -the text after the /; it is used to distinguish between instances of -<foo> in the next section. -.PP -.nf -<policy file> ::= <version line> <other line>* - -<version line> ::= <string/v> '\en' - -<other line > ::= <comment> | <access rule> | <site policy> | <blank line> - -<comment> ::= # <not newline>* '\en' - -<blank line> ::= <space> '\en' - -<site policy> ::= sitepolicy <string/sp> '\en' - -<access rule> ::= property <property/ar> <window> <perms> '\en' - -<property> ::= <string> - -<window> ::= any | root | <required property> - -<required property> ::= <property/rp> | <property with value> - -<property with value> ::= <property/rpv> = <string/rv> - -<perms> ::= [ <operation> | <action> | <space> ]* - -<operation> ::= r | w | d - -<action> ::= a | i | e - -<string> ::= <dbl quoted string> | <single quoted string> | <unquoted string> - -<dbl quoted string> ::= <space> " <not dquote>* " <space> - -<single quoted string> ::= <space> ' <not squote>* ' <space> - -<unquoted string> ::= <space> <not space>+ <space> - -<space> ::= [ ' ' | '\et' ]* - -Character sets: - -<not newline> ::= any character except '\en' -<not dquote> ::= any character except " -<not squote> ::= any character except ' -<not space> ::= any character except those in <space> -.fi -.PP -The semantics associated with the above syntax are as follows. -.PP -<version line>, the first line in the file, specifies the file format -version. If the server does not recognize the version <string/v>, it -ignores the rest of the file. The version string for the file format -described here is "version-1" . -.PP -Once past the <version line>, lines that do not match the above syntax -are ignored. -.PP -<comment> lines are ignored. -.PP -<sitepolicy> lines are currently ignored. They are intended to -specify the site policies used by the XC-QUERY-SECURITY-1 -authorization method. -.PP -<access rule> lines specify how the server should react to untrusted -client requests that affect the X Window property named <property/ar>. -The rest of this section describes the interpretation of an -<access rule>. -.PP -For an <access rule> to apply to a given instance of <property/ar>, -<property/ar> must be on a window that is in the set of windows -specified by <window>. If <window> is any, the rule applies to -<property/ar> on any window. If <window> is root, the rule applies to -<property/ar> only on root windows. -.PP -If <window> is <required property>, the following apply. If <required -property> is a <property/rp>, the rule applies when the window also -has that <property/rp>, regardless of its value. If <required -property> is a <property with value>, <property/rpv> must also have -the value specified by <string/rv>. In this case, the property must -have type STRING and format 8, and should contain one or more -null-terminated strings. If any of the strings match <string/rv>, the -rule applies. -.PP -The definition of string matching is simple case-sensitive string -comparison with one elaboration: the occurrence of the character '*' in -<string/rv> is a wildcard meaning "any string." A <string/rv> can -contain multiple wildcards anywhere in the string. For example, "x*" -matches strings that begin with x, "*x" matches strings that end with -x, "*x*" matches strings containing x, and "x*y*" matches strings that -start with x and subsequently contain y. -.PP -There may be multiple <access rule> lines for a given <property/ar>. -The rules are tested in the order that they appear in the file. The -first rule that applies is used. -.PP -<perms> specify operations that untrusted clients may attempt, and -the actions that the server should take in response to those operations. -.PP -<operation> can be r (read), w (write), or d (delete). The following -table shows how X Protocol property requests map to these operations -in the X.Org server implementation. -.PP -.nf -GetProperty r, or r and d if delete = True -ChangeProperty w -RotateProperties r and w -DeleteProperty d -ListProperties none, untrusted clients can always list all properties -.fi -.PP -<action> can be a (allow), i (ignore), or e (error). Allow means -execute the request as if it had been issued by a trusted client. -Ignore means treat the request as a no-op. In the case of -GetProperty, ignore means return an empty property value if the -property exists, regardless of its actual value. Error means do not -execute the request and return a BadAtom error with the atom set to -the property name. Error is the default action for all properties, -including those not listed in the security policy file. -.PP -An <action> applies to all <operation>s that follow it, until the next -<action> is encountered. Thus, irwad means ignore read and write, -allow delete. -.PP -GetProperty and RotateProperties may do multiple operations (r and d, -or r and w). If different actions apply to the operations, the most -severe action is applied to the whole request; there is no partial -request execution. The severity ordering is: allow < ignore < error. -Thus, if the <perms> for a property are ired (ignore read, error -delete), and an untrusted client attempts GetProperty on that property -with delete = True, an error is returned, but the property value is -not. Similarly, if any of the properties in a RotateProperties do not -allow both read and write, an error is returned without changing any -property values. -.PP -Here is an example security policy file. -.PP -.ta 3i 4i -.nf -version-1 - -XCOMM Allow reading of application resources, but not writing. -property RESOURCE_MANAGER root ar iw -property SCREEN_RESOURCES root ar iw - -XCOMM Ignore attempts to use cut buffers. Giving errors causes apps to crash, -XCOMM and allowing access may give away too much information. -property CUT_BUFFER0 root irw -property CUT_BUFFER1 root irw -property CUT_BUFFER2 root irw -property CUT_BUFFER3 root irw -property CUT_BUFFER4 root irw -property CUT_BUFFER5 root irw -property CUT_BUFFER6 root irw -property CUT_BUFFER7 root irw - -XCOMM If you are using Motif, you probably want these. -property _MOTIF_DEFAULT_BINDINGS root ar iw -property _MOTIF_DRAG_WINDOW root ar iw -property _MOTIF_DRAG_TARGETS any ar iw -property _MOTIF_DRAG_ATOMS any ar iw -property _MOTIF_DRAG_ATOM_PAIRS any ar iw - -XCOMM The next two rules let xwininfo -tree work when untrusted. -property WM_NAME any ar - -XCOMM Allow read of WM_CLASS, but only for windows with WM_NAME. -XCOMM This might be more restrictive than necessary, but demonstrates -XCOMM the <required property> facility, and is also an attempt to -XCOMM say "top level windows only." -property WM_CLASS WM_NAME ar - -XCOMM These next three let xlsclients work untrusted. Think carefully -XCOMM before including these; giving away the client machine name and command -XCOMM may be exposing too much. -property WM_STATE WM_NAME ar -property WM_CLIENT_MACHINE WM_NAME ar -property WM_COMMAND WM_NAME ar - -XCOMM To let untrusted clients use the standard colormaps created by -XCOMM xstdcmap, include these lines. -property RGB_DEFAULT_MAP root ar -property RGB_BEST_MAP root ar -property RGB_RED_MAP root ar -property RGB_GREEN_MAP root ar -property RGB_BLUE_MAP root ar -property RGB_GRAY_MAP root ar - -XCOMM To let untrusted clients use the color management database created -XCOMM by xcmsdb, include these lines. -property XDCCC_LINEAR_RGB_CORRECTION root ar -property XDCCC_LINEAR_RGB_MATRICES root ar -property XDCCC_GRAY_SCREENWHITEPOINT root ar -property XDCCC_GRAY_CORRECTION root ar - -XCOMM To let untrusted clients use the overlay visuals that many vendors -XCOMM support, include this line. -property SERVER_OVERLAY_VISUALS root ar - -XCOMM Dumb examples to show other capabilities. - -XCOMM oddball property names and explicit specification of error conditions -property "property with spaces" 'property with "' aw er ed - -XCOMM Allow deletion of Woo-Hoo if window also has property OhBoy with value -XCOMM ending in "son". Reads and writes will cause an error. -property Woo-Hoo OhBoy = "*son" ad - -.fi -.SH FILES -.TP 30 -.I __projectroot__/lib/xserver/SecurityPolicy -Default X server security policy -.SH "SEE ALSO" -.PP -\fIXserver\fp(__appmansuffix__), -.I "Security Extension Specification" diff --git a/doc/Xserver.man.pre b/doc/Xserver.man.pre index c9ee019c6..c47a3966b 100644 --- a/doc/Xserver.man.pre +++ b/doc/Xserver.man.pre @@ -407,15 +407,6 @@ elapse between autorepeat-generated keystrokes). .TP 8 .B \-xkbmap \fIfilename\fP loads keyboard description in \fIfilename\fP on server startup. -.SH SECURITY EXTENSION OPTIONS -X servers that support the SECURITY extension accept the following option: -.TP 8 -.B \-sp \fIfilename\fP -causes the server to attempt to read and interpret filename as a security -policy file with the format described below. The file is read at server -startup and reread at each server reset. -The syntax of the security policy file is described in -\fISecurityPolicy\fP(__filemansuffix__). .SH "NETWORK CONNECTIONS" The X server supports client connections via a platform-dependent subset of the following transport types: TCP\/IP, Unix Domain sockets, DECnet, @@ -580,9 +571,6 @@ Error log file for display number \fBn\fP if run from \fIinit\fP(__adminmansuffi .TP 30 .I __projectroot__/lib/X11/xdm/xdm-errors Default error log file if the server is run from \fIxdm\fP(1) -.TP 30 -.I __projectroot__/lib/xserver/SecurityPolicy -Default X server security policy .SH "SEE ALSO" General information: \fIX\fP(__miscmansuffix__) .PP @@ -597,7 +585,6 @@ Fonts: \fIbdftopcf\fP(1), \fImkfontdir\fP(1), \fImkfontscale\fP(1), .PP Security: \fIXsecurity\fP(__miscmansuffix__), \fIxauth\fP(1), \fIXau\fP(1), \fIxdm\fP(1), \fIxhost\fP(1), \fIxfwp\fP(1), -\fISecurityPolicy\fP(__filemansuffix__), .I "Security Extension Specification" .PP Starting the server: \fIxdm\fP(1), \fIxinit\fP(1) |