diff options
Diffstat (limited to 'doc/SecurityPolicy.man.pre')
-rw-r--r-- | doc/SecurityPolicy.man.pre | 258 |
1 files changed, 258 insertions, 0 deletions
diff --git a/doc/SecurityPolicy.man.pre b/doc/SecurityPolicy.man.pre new file mode 100644 index 000000000..f5aff0c6c --- /dev/null +++ b/doc/SecurityPolicy.man.pre @@ -0,0 +1,258 @@ +.\" Split out of Xserver.man, which was covered by this notice: +.\" Copyright 1984 - 1991, 1993, 1994, 1998 The Open Group +.\" +.\" Permission to use, copy, modify, distribute, and sell this software and its +.\" documentation for any purpose is hereby granted without fee, provided that +.\" the above copyright notice appear in all copies and that both that +.\" copyright notice and this permission notice appear in supporting +.\" documentation. +.\" +.\" The above copyright notice and this permission notice shall be included +.\" in all copies or substantial portions of the Software. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +.\" OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +.\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +.\" IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR +.\" OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +.\" ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +.\" OTHER DEALINGS IN THE SOFTWARE. +.\" +.\" Except as contained in this notice, the name of The Open Group shall +.\" not be used in advertising or otherwise to promote the sale, use or +.\" other dealings in this Software without prior written authorization +.\" from The Open Group. +.\" $XFree86: xc/programs/Xserver/Xserver.man,v 3.31 2004/01/10 22:27:46 dawes Exp $ +.\" shorthand for double quote that works everywhere. +.ds q \N'34' +.TH SecurityPolicy __filemansuffix__ __xorgversion__ +.SH NAME +SecurityPolicy \- X Window System SECURITY Extension Policy file format +.SH DESCRIPTION +The SECURITY extension to the X Window System uses a policy file to determine +which operations should be allowed or denied. The default location for this +file is +.IR __projectroot__/lib/xserver/SecurityPolicy . +.PP +The syntax of the security policy file is as follows. +Notation: "*" means zero or more occurrences of the preceding element, +and "+" means one or more occurrences. To interpret <foo/bar>, ignore +the text after the /; it is used to distinguish between instances of +<foo> in the next section. +.PP +.nf +<policy file> ::= <version line> <other line>* + +<version line> ::= <string/v> '\en' + +<other line > ::= <comment> | <access rule> | <site policy> | <blank line> + +<comment> ::= # <not newline>* '\en' + +<blank line> ::= <space> '\en' + +<site policy> ::= sitepolicy <string/sp> '\en' + +<access rule> ::= property <property/ar> <window> <perms> '\en' + +<property> ::= <string> + +<window> ::= any | root | <required property> + +<required property> ::= <property/rp> | <property with value> + +<property with value> ::= <property/rpv> = <string/rv> + +<perms> ::= [ <operation> | <action> | <space> ]* + +<operation> ::= r | w | d + +<action> ::= a | i | e + +<string> ::= <dbl quoted string> | <single quoted string> | <unquoted string> + +<dbl quoted string> ::= <space> " <not dquote>* " <space> + +<single quoted string> ::= <space> ' <not squote>* ' <space> + +<unquoted string> ::= <space> <not space>+ <space> + +<space> ::= [ ' ' | '\et' ]* + +Character sets: + +<not newline> ::= any character except '\en' +<not dquote> ::= any character except " +<not squote> ::= any character except ' +<not space> ::= any character except those in <space> +.fi +.PP +The semantics associated with the above syntax are as follows. +.PP +<version line>, the first line in the file, specifies the file format +version. If the server does not recognize the version <string/v>, it +ignores the rest of the file. The version string for the file format +described here is "version-1" . +.PP +Once past the <version line>, lines that do not match the above syntax +are ignored. +.PP +<comment> lines are ignored. +.PP +<sitepolicy> lines are currently ignored. They are intended to +specify the site policies used by the XC-QUERY-SECURITY-1 +authorization method. +.PP +<access rule> lines specify how the server should react to untrusted +client requests that affect the X Window property named <property/ar>. +The rest of this section describes the interpretation of an +<access rule>. +.PP +For an <access rule> to apply to a given instance of <property/ar>, +<property/ar> must be on a window that is in the set of windows +specified by <window>. If <window> is any, the rule applies to +<property/ar> on any window. If <window> is root, the rule applies to +<property/ar> only on root windows. +.PP +If <window> is <required property>, the following apply. If <required +property> is a <property/rp>, the rule applies when the window also +has that <property/rp>, regardless of its value. If <required +property> is a <property with value>, <property/rpv> must also have +the value specified by <string/rv>. In this case, the property must +have type STRING and format 8, and should contain one or more +null-terminated strings. If any of the strings match <string/rv>, the +rule applies. +.PP +The definition of string matching is simple case-sensitive string +comparison with one elaboration: the occurrence of the character '*' in +<string/rv> is a wildcard meaning "any string." A <string/rv> can +contain multiple wildcards anywhere in the string. For example, "x*" +matches strings that begin with x, "*x" matches strings that end with +x, "*x*" matches strings containing x, and "x*y*" matches strings that +start with x and subsequently contain y. +.PP +There may be multiple <access rule> lines for a given <property/ar>. +The rules are tested in the order that they appear in the file. The +first rule that applies is used. +.PP +<perms> specify operations that untrusted clients may attempt, and +the actions that the server should take in response to those operations. +.PP +<operation> can be r (read), w (write), or d (delete). The following +table shows how X Protocol property requests map to these operations +in the X.Org server implementation. +.PP +.nf +GetProperty r, or r and d if delete = True +ChangeProperty w +RotateProperties r and w +DeleteProperty d +ListProperties none, untrusted clients can always list all properties +.fi +.PP +<action> can be a (allow), i (ignore), or e (error). Allow means +execute the request as if it had been issued by a trusted client. +Ignore means treat the request as a no-op. In the case of +GetProperty, ignore means return an empty property value if the +property exists, regardless of its actual value. Error means do not +execute the request and return a BadAtom error with the atom set to +the property name. Error is the default action for all properties, +including those not listed in the security policy file. +.PP +An <action> applies to all <operation>s that follow it, until the next +<action> is encountered. Thus, irwad means ignore read and write, +allow delete. +.PP +GetProperty and RotateProperties may do multiple operations (r and d, +or r and w). If different actions apply to the operations, the most +severe action is applied to the whole request; there is no partial +request execution. The severity ordering is: allow < ignore < error. +Thus, if the <perms> for a property are ired (ignore read, error +delete), and an untrusted client attempts GetProperty on that property +with delete = True, an error is returned, but the property value is +not. Similarly, if any of the properties in a RotateProperties do not +allow both read and write, an error is returned without changing any +property values. +.PP +Here is an example security policy file. +.PP +.ta 3i 4i +.nf +version-1 + +XCOMM Allow reading of application resources, but not writing. +property RESOURCE_MANAGER root ar iw +property SCREEN_RESOURCES root ar iw + +XCOMM Ignore attempts to use cut buffers. Giving errors causes apps to crash, +XCOMM and allowing access may give away too much information. +property CUT_BUFFER0 root irw +property CUT_BUFFER1 root irw +property CUT_BUFFER2 root irw +property CUT_BUFFER3 root irw +property CUT_BUFFER4 root irw +property CUT_BUFFER5 root irw +property CUT_BUFFER6 root irw +property CUT_BUFFER7 root irw + +XCOMM If you are using Motif, you probably want these. +property _MOTIF_DEFAULT_BINDINGS root ar iw +property _MOTIF_DRAG_WINDOW root ar iw +property _MOTIF_DRAG_TARGETS any ar iw +property _MOTIF_DRAG_ATOMS any ar iw +property _MOTIF_DRAG_ATOM_PAIRS any ar iw + +XCOMM The next two rules let xwininfo -tree work when untrusted. +property WM_NAME any ar + +XCOMM Allow read of WM_CLASS, but only for windows with WM_NAME. +XCOMM This might be more restrictive than necessary, but demonstrates +XCOMM the <required property> facility, and is also an attempt to +XCOMM say "top level windows only." +property WM_CLASS WM_NAME ar + +XCOMM These next three let xlsclients work untrusted. Think carefully +XCOMM before including these; giving away the client machine name and command +XCOMM may be exposing too much. +property WM_STATE WM_NAME ar +property WM_CLIENT_MACHINE WM_NAME ar +property WM_COMMAND WM_NAME ar + +XCOMM To let untrusted clients use the standard colormaps created by +XCOMM xstdcmap, include these lines. +property RGB_DEFAULT_MAP root ar +property RGB_BEST_MAP root ar +property RGB_RED_MAP root ar +property RGB_GREEN_MAP root ar +property RGB_BLUE_MAP root ar +property RGB_GRAY_MAP root ar + +XCOMM To let untrusted clients use the color management database created +XCOMM by xcmsdb, include these lines. +property XDCCC_LINEAR_RGB_CORRECTION root ar +property XDCCC_LINEAR_RGB_MATRICES root ar +property XDCCC_GRAY_SCREENWHITEPOINT root ar +property XDCCC_GRAY_CORRECTION root ar + +XCOMM To let untrusted clients use the overlay visuals that many vendors +XCOMM support, include this line. +property SERVER_OVERLAY_VISUALS root ar + +XCOMM Dumb examples to show other capabilities. + +XCOMM oddball property names and explicit specification of error conditions +property "property with spaces" 'property with "' aw er ed + +XCOMM Allow deletion of Woo-Hoo if window also has property OhBoy with value +XCOMM ending in "son". Reads and writes will cause an error. +property Woo-Hoo OhBoy = "*son" ad + +.fi +.SH FILES +.TP 30 +.I __projectroot__/lib/xserver/SecurityPolicy +Default X server security policy +.SH "SEE ALSO" +.PP +\fIXserver\fp(__appmansuffix__), +.I "Security Extension Specification" |