From Fedora Project Wiki


Could you spell out any possible security implications of overridden grabs? Could malevolent X apps start to snoop in on password-prompting windows, for example? Fche 03:08, 22 December 2011 (UTC)

  • Grabbing has never been a security feature. You can already snoop on a grabbed device, either using raw events or by registering for slave device events. We're trying to get the priority system right so that e.g. gnome-screensaver can assume it's the top-most grab-override and get events first, but that's about it. 03:13, 22 December 2011 (UTC)
    • How can one snoop on a grabbed device via the X protocol? Or are you talking about opening up /dev/input*?
      • Get the X device ID of the physical device you want to listen to, then XISelectEvents(3) on that device for whatever window you want the events on. Given event delivery traversal, the root window should be enough in most cases. Toolkits usually only work on the master devices, so slave device event delivery is usually a free-for-all. Also, with XI 2.1, listening to raw events has the same effect, though there you only get the device data, not the window information etc as well. Quick example: change the XISelectEvents call in xinput's test-xi2 from win to DefaultRootWindow(display), compile it, run with xinput --test-xi2. You should see every event from any slave device now.
        • Interesting. Would it be fair to say that grabbing was previously a security feature (plenty of old X11 documentation talks about this, methinks), until this newfangled xinput stuff came by, and failed to extend the grabbing model - dunno, transitively?
          • IIRC the X Input extension was released in 1994 and I think most of the above would have been possible since. All of the above is definitely possible since X server 1.4 (Fedora 9+)