security.xml revision d63b911f 
1<?xml version="1.0" encoding="UTF-8" ?>
2<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3                   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"
4[
5<!ENTITY % defs SYSTEM "defs.ent"> %defs;
6]>
7<!--translated from security.tex, on 2010-06-27 15:29:00,
8by TeX4ht (http://www.cse.ohio-state.edu/~gurari/TeX4ht/)
9xhtml,docbook,html,refcaption -->
10
11<book id="security">
12
13<bookinfo>
14   <title>Security Extension Specification</title>
15   <subtitle>X Consortium Standard</subtitle>
16   <authorgroup>
17      <author>
18         <firstname>David</firstname><othername>P.</othername><surname>Wiggins</surname>
19         <affiliation><orgname>X Consortium</orgname></affiliation>
20      </author>
21   </authorgroup>
22   <releaseinfo>X Version 11, Release &fullrelvers;</releaseinfo>
23   <releaseinfo>Version 7.1</releaseinfo>
24   <copyright><year>1996</year><holder>X Consortium</holder></copyright>
25
26<legalnotice>
27<para>
28Permission is hereby granted, free of charge, to any person obtaining a copy
29of this software and associated documentation files (the &ldquo;Software&rdquo;), to deal
30in the Software without restriction, including without limitation the rights
31to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
32copies of the Software, and to permit persons to whom the Software is
33furnished to do so, subject to the following conditions:
34</para>
35<para>
36The above copyright notice and this permission notice shall be included in
37all copies or substantial portions of the Software.
38</para>
39<para>
40THE SOFTWARE IS PROVIDED &ldquo;AS IS&rdquo;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
41IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
42FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
43X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
44AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
45CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
46</para>
47<para>
48Except as contained in this notice, the name of the X Consortium shall not be
49used in advertising or otherwise to promote the sale, use or other dealings
50in this Software without prior written authorization from the X Consortium.
51</para>
52<para>X Window System is a trademark of The OpenGroup.</para>
53</legalnotice>
54
55<pubdate>November 15, 1996</pubdate>
56
57</bookinfo>
58
59<chapter id='Introduction'>
60<title>Introduction</title>
61
62<para>
63The Security extension contains new protocol needed to provide enhanced X
64server security. The Security extension should not be exposed to untrusted
65clients (defined below).
66</para>
67
68</chapter>
69
70<chapter id='Requests'>
71<title>Requests</title>
72
73<sect1 id='SecurityQueryVersion'>
74<title>SecurityQueryVersion</title>
75<para>
76This request returns the major and minor version numbers of this extension.
77</para>
78
79<para>SecurityQueryVersion</para>
80
81<informaltable frame='none'>
82  <?dbfo keep-together="always" ?>
83  <tgroup cols='2' align='left' colsep='0' rowsep='0'>
84  <colspec colname='c1' colwidth="1.0*"/>
85  <colspec colname='c2' colwidth="1.5*"/>
86    <tbody>
87      <row>
88        <entry>
89          <para>client-major-version</para>
90        </entry>
91        <entry>
92          <para>CARD16</para>
93        </entry>
94      </row>
95      <row>
96        <entry>
97          <para>client-minor-version</para>
98        </entry>
99        <entry>
100          <para>CARD16</para>
101        </entry>
102      </row>
103      <row>
104        <entry>
105          <para>=&gt;</para>
106        </entry>
107      </row>
108      <row>
109        <entry>
110          <para>server-major-version</para>
111        </entry>
112        <entry>
113          <para>CARD16</para>
114        </entry>
115      </row>
116      <row>
117        <entry>
118          <para>server-minor-version</para>
119        </entry>
120        <entry>
121          <para>CARD16</para>
122        </entry>
123      </row>
124    </tbody>
125  </tgroup>
126</informaltable>
127
128<para>
129The client-major-version and client-minor-version numbers indicate what
130version of the protocol the client wants the server to implement. The
131server-major-version and the server-minor-version numbers returned
132indicate the protocol this extension actually supports. This might not
133equal the version sent by the client. An implementation can (but need not)
134support more than one version simultaneously.  The server-major-version
135and server-minor-version allow the creation of future revisions of the
136Security protocol that may be necessary. In general, the major version
137would increment for incompatible changes, and the minor version would
138increment for small, upward-compatible changes. Servers that support
139the protocol defined in this document will return a server-major-version
140of one (1), and a server-minor-version of zero (0).
141</para>
142
143<para>
144Clients using the Security extension must issue a SecurityQueryVersion
145request before any other Security request in order to negotiate a compatible
146protocol version; otherwise, the client will get undefined behavior
147(Security may or may not work).
148</para>
149</sect1>
150
151<sect1 id='SecurityGenerateAuthorization'>
152<title>SecurityGenerateAuthorization</title>
153
154<para>
155This request causes the server to create and return a new authorization with
156specific characteristics. Clients can subsequently connect using the new
157authorization and will inherit some of the characteristics of the
158authorization.
159</para>
160
161<para>
162SecurityGenerateAuthorization
163</para>
164<informaltable frame='none'>
165  <?dbfo keep-together="always" ?>
166  <tgroup cols='2' align='left' colsep='0' rowsep='0'>
167  <colspec colname='c1' colwidth="1.0*"/>
168  <colspec colname='c2' colwidth="1.5*"/>
169    <tbody>
170      <row>
171        <entry>
172          <para>authorization-protocol-name</para>
173        </entry>
174        <entry>
175          <para>STRING8</para>
176        </entry>
177      </row>
178      <row>
179        <entry>
180          <para>authorization-protocol-data</para>
181        </entry>
182        <entry>
183          <para>STRING8</para>
184        </entry>
185      </row>
186      <row>
187        <entry>
188          <para>value-mask</para>
189        </entry>
190        <entry>
191          <para>BITMASK</para>
192        </entry>
193      </row>
194      <row>
195        <entry>
196          <para>value-list</para>
197        </entry>
198        <entry>
199          <para>LISTofVALUE</para>
200        </entry>
201      </row>
202      <row>
203        <entry>
204          <para>=></para>
205        </entry>
206        <entry>
207        </entry>
208      </row>
209      <row>
210        <entry>
211          <para>authorization-id</para>
212        </entry>
213        <entry>
214          <para>AUTHID</para>
215        </entry>
216      </row>
217      <row>
218        <entry>
219          <para>authorization-data-return</para>
220        </entry>
221        <entry>
222          <para>STRING8</para>
223        </entry>
224      </row>
225    </tbody>
226  </tgroup>
227</informaltable>
228
229<para>
230Errors: <function>AuthorizationProtocol</function>, <function>Value</function>, <function>Alloc</function>
231</para>
232
233<para>
234authorization-protocol-name is the name of the authorization method for
235which the server should generate a new authorization that subsequent
236clients can use to connect to the server. If the authorization-protocol-name
237is not one that the server supports, or if authorization-protocol-data
238does not make sense for the given authorization-protocol-name, an
239AuthorizationProtocol error results.
240</para>
241
242<para>
243authorization-protocol-data is authorization-method specific data that can
244be used in some way to generate the authorization.
245</para>
246
247<note><para>
248In this version of the extension, the only authorization method
249required to be supported is "MIT-MAGIC-COOKIE-1" with any amount
250of authorization-protocol-data (including none). The server may use the
251authorization-protocol-data as an additional source of randomness used
252to generate the authorization. Other authorization methods can supply
253their own interpretation of authorization-protocol-data.
254</para></note>
255
256<para>
257The value-mask and value-list specify attributes of the authorization
258that are to be explicitly initialized. The possible values are:
259</para>
260
261<informaltable frame='topbot'>
262  <?dbfo keep-together="always" ?>
263  <tgroup cols='3' align='left' colsep='0' rowsep='0'>
264  <colspec colname='c1' colwidth="1.0*"/>
265  <colspec colname='c2' colwidth="1.0*"/>
266  <colspec colname='c3' colwidth="1.0*"/>
267    <thead>
268      <row rowsep='1'>
269        <entry>Attribute</entry>
270        <entry>Type</entry>
271        <entry>Default</entry>
272      </row>
273    </thead>
274    <tbody>
275      <row>
276        <entry>
277          <para>timeout</para>
278        </entry>
279        <entry>
280          <para>CARD32</para>
281        </entry>
282        <entry>
283          <para>60</para>
284        </entry>
285      </row>
286      <row>
287        <entry>
288          <para>group</para>
289        </entry>
290        <entry>
291          <para>XID or None</para>
292        </entry>
293        <entry>
294          <para>None</para>
295        </entry>
296      </row>
297      <row>
298        <entry>
299          <para>trust-level</para>
300        </entry>
301        <entry>
302          <para>{SecurityClientTrusted,</para>
303        </entry>
304      </row>
305      <row>
306        <entry>
307          <para></para>
308        </entry>
309        <entry>
310          <para>SecurityClientUntrusted}</para>
311        </entry>
312        <entry>
313          <para>SecurityClientUntrusted</para>
314        </entry>
315      </row>
316      <row>
317        <entry>
318          <para>event-mask</para>
319        </entry>
320        <entry>
321          <para>SecurityAuthorizationRevoked,</para>
322        </entry>
323      </row>
324      <row rowsep="1">
325        <entry>
326          <para></para>
327        </entry>
328        <entry>
329          <para>or None</para>
330        </entry>
331        <entry>
332          <para>None</para>
333        </entry>
334      </row>
335    </tbody>
336  </tgroup>
337</informaltable>
338
339<para>
340timeout is the timeout period in seconds for this authorization. A
341timeout value of zero means this authorization will never expire. For
342non-zero timeout values, when timeout seconds have elapsed since the
343last time that the authorization entered the state of having no
344connections authorized by it, and if no new connections used the
345authorization during that time, the authorization is automatically purged.
346(Note that when an authorization is created, it enters the state of having no
347connections authorized by it.) Subsequent connection attempts using that
348authorization will fail. This is to facilitate "fire and forget" launching of
349applications.
350</para>
351
352<para>
353group is an application group ID as defined by the Application Group
354extension, or None. Any other values will cause a Value error. When a
355group is destroyed, all authorizations specifying that group are revoked
356as described under the SecurityRevokeAuthorization request. The Application
357Group extension attaches additional semantics to the group.
358</para>
359
360<para>
361trust-level tells whether clients using the authorization are trusted or
362untrusted. If trust-level is not one of the constants SecurityClientTrusted
363or SecurityClientUntrusted, a Value error results.
364</para>
365
366<para>
367event-mask defines which events the client is interested in for this
368authorization.  When the authorization expires or is revoked if event-mask
369contains SecurityAuthorizationRevoked a SecurityAuthorizationRevoked event
370is reported to the client.
371</para>
372
373<para>
374The SecurityAuthorizationRevoked event contains the following field:
375</para>
376
377<informaltable frame='topbot'>
378  <?dbfo keep-together="always" ?>
379  <tgroup cols='2' align='left' colsep='0' rowsep='0'>
380  <colspec colname='c1' colwidth="1.0*"/>
381  <colspec colname='c2' colwidth="1.5*"/>
382    <thead>
383      <row rowsep="1">
384        <entry>Field</entry>
385        <entry>Type</entry>
386      </row>
387    </thead>
388    <tbody>
389      <row>
390        <entry>
391          <para>authorization-id</para>
392        </entry>
393        <entry>
394          <para>AUTHID</para>
395        </entry>
396      </row>
397    </tbody>
398  </tgroup>
399</informaltable>
400
401<para>
402where authorization-id is the identification of the authorization that was
403revoked.
404</para>
405<para>
406If an invalid value-mask is specified, a Value error occurs.
407</para>
408
409<para>
410The returned authorization-id is a non-zero value that uniquely identifies
411this authorization for use in other requests. The value space for type
412AUTHID is not required to be disjoint from values spaces of other core
413X types, e.g. resource ids, atoms, visual ids, and keysyms. Thus, a given
414numeric value might be both a valid AUTHID and a valid atom, for example.
415</para>
416
417<para>
418authorization-data-return is the data that a client should use in some
419authorization-method-specific way to make a connection with this
420authorization. For "MIT-MAGIC-COOKIE-1," authorization-data-return should
421be sent as the authorization-protocol-data in the connection setup message.
422It is not required that other authorization methods use
423authorization-data-return this way.
424</para>
425
426</sect1>
427
428<sect1 id='SecurityRevokeAuthorization'>
429<title>SecurityRevokeAuthorization</title>
430
431<para>
432This request deletes an authorization created by SecurityGenerateAuthorization.
433</para>
434
435<para>
436SecurityRevokeAuthorization
437</para>
438
439<informaltable frame='none'>
440  <?dbfo keep-together="always" ?>
441  <tgroup cols='2' align='left' colsep='0' rowsep='0'>
442  <colspec colname='c1' colwidth="1.0*"/>
443  <colspec colname='c2' colwidth="1.5*"/>
444    <tbody>
445      <row>
446        <entry>
447          <para><emphasis remap='I'>authorization-id</emphasis></para>
448        </entry>
449        <entry>
450          <para>AUTHID</para>
451        </entry>
452      </row>
453    </tbody>
454  </tgroup>
455</informaltable>
456
457<para>
458Errors: <function>Authorization</function>
459</para>
460
461<para>
462If authorization-id does not name a valid authorization, an Authorization
463error occurs. Otherwise, this request kills all clients currently connected
464using the authorization specified by authorization-id. The authorization is
465deleted from the server's database, so future attempts by clients to connect
466with this authorization will fail.
467</para>
468
469</sect1>
470</chapter>
471
472<chapter id='Changes_to_Core_Requests'>
473<title>Changes to Core Requests</title>
474
475<para>
476A server supporting this extension modifies the handling of some core
477requests in the following ways.
478</para>
479<sect1 id='Resource_ID_Usage'>
480<title>Resource ID Usage</title>
481
482<para>
483If an untrusted client makes a request that specifies a resource ID that is
484not owned by another untrusted client, a protocol error is sent to the
485requesting client indicating that the specified resource does not exist.
486The following exceptions apply. An untrusted client can:
487</para>
488
489<orderedlist>
490  <listitem>
491    <para>
492use  the  QueryTree,  GetGeometry,  and  TranslateCoordinates  requests
493without restriction.
494    </para>
495  </listitem>
496  <listitem>
497    <para>
498use colormap IDs that are returned in the default-colormap field of its
499connection setup information in any colormap requests.
500    </para>
501  </listitem>
502  <listitem>
503     <para>specify a root window as:</para>
504     <orderedlist>
505       <listitem>
506         <para>
507the drawable field of CreatePixmap, CreateGC, and QueryBestSize.
508         </para>
509       </listitem>
510       <listitem>
511         <para>the parent field of CreateWindow.</para>
512       </listitem>
513       <listitem>
514         <para>
515the window field of CreateColormap, ListProperties, and GetWindowAttributes.
516         </para>
517       </listitem>
518       <listitem>
519         <para>the grab-window or confine-to fields of GrabPointer.
520         </para>
521       </listitem>
522       <listitem>
523         <para>the grab-window field of UngrabButton.</para>
524       </listitem>
525       <listitem>
526         <para>
527the destination of SendEvent, but only if all of the following are true.
528(These conditions cover all the events that the ICCCM specifies with
529a root window destination.)
530         </para>
531         <orderedlist>
532           <listitem>
533             <para>The propagate field of SendEvent is False.</para>
534           </listitem>
535           <listitem>
536             <para>
537The   event-mask   field   of   SendEvent   is   ColormapChange,
538StructureNotify, or the logical OR of SubstructureRedirect with
539SubstructureNotify.
540             </para>
541           </listitem>
542           <listitem>
543             <para>
544The event type being sent is UnmapNotify, ConfigureRequest, or
545ClientMessage.
546             </para>
547           </listitem>
548         </orderedlist>
549       </listitem>
550       <listitem>
551         <para>
552the window field of ChangeWindowAttributes, but only if the value-mask
553contains only event-mask and the corresponding value is StructureNotify,
554PropertyChange, or the logical OR of both.
555         </para>
556       </listitem>
557    </orderedlist>
558  </listitem>
559</orderedlist>
560
561<note>
562<para>
563ISSUE: are root window exceptions needed for these? WarpPointer, ReparentWindow
564(parent), CirculateWindow, QueryPointer (emacs does this), GetMotionEvents.
565</para>
566</note>
567
568</sect1>
569<sect1 id='Extension_Security'>
570<title>Extension Security</title>
571
572<para>
573This extension introduces the notion of secure and insecure extensions. A
574secure extension is believed to be safe to use by untrusted clients; that
575is, there are no significant security concerns known that an untrusted
576client could use to destroy, modify, or steal data of trusted clients. This
577belief may be founded on a careful analysis of the extension protocol,
578its implementation, and measures taken to "harden" the extension to close
579security weaknesses. All extensions not considered secure are called
580insecure. The implementation details of how an extension is identified as
581secure or insecure are beyond the scope of this specification.
582</para>
583
584<para>
585<function>ListExtensions</function> will only return names of secure
586extensions to untrusted clients.
587</para>
588
589<para>
590If an untrusted client uses <function>QueryExtension</function> on an
591insecure extension that the server supports, the reply will have the
592present field set to False and the major-opcode field set to zero to
593indicate that the extension is not supported.
594</para>
595
596<para>
597If an untrusted client successfully guesses the major opcode of an
598insecure extension, attempts by it to execute requests with that major
599opcode will fail with a Request error.
600</para>
601
602</sect1>
603
604<sect1 id='Keyboard_Security'>
605<title>Keyboard Security</title>
606
607
608<para>
609The protocol interpretation changes in this section are intended to prevent
610untrusted applications from stealing keyboard input that was meant for
611trusted clients and to prevent them from interfering with the use of the
612keyboard.
613</para>
614
615<para>
616The behavior of some keyboard-related requests and events is modified when
617the client is untrusted depending on certain server state at the time of
618request execution or event generation. Specifically, if a hypothetical
619keyboard event were generated given the current input focus, pointer
620position, keyboard grab state, and window event selections, and if that
621keyboard event would not be delivered to any untrusted client, the
622following changes apply:
623</para>
624
625<orderedlist>
626  <listitem>
627    <para>
628The bit vector representing the up/down state of the keys returned by
629<function>QueryKeymap</function> and
630<function>KeymapNotify</function> is all zeroes.
631    </para>
632  </listitem>
633  <listitem>
634    <para>GrabKeyboard returns a status of AlreadyGrabbed.</para>
635  </listitem>
636  <listitem>
637    <para>
638<function>SetInputFocus</function> does nothing. Note that this means the
639Globally Active
640Input and WM_TAKE_FOCUS mechanisms specified in the ICCCM will
641not work with untrusted clients.
642    </para>
643  </listitem>
644  <listitem>
645    <para>
646Passive grabs established by GrabKey that would otherwise have activated
647do not activate.
648    </para>
649  </listitem>
650</orderedlist>
651
652<para>
653If an untrusted client attempts to use any of the following requests, the
654only effect is that the client receives an Access error: SetModifierMapping,
655ChangeKeyboardMapping, ChangeKeyboardControl.
656</para>
657
658<para>
659If an InputOnly window owned by an untrusted client has a parent owned by a
660trusted client, all attempts to map the window will be ignored. This includes
661mapping attempts resulting from MapWindow, MapSubwindows, ReparentWindow,
662and save-set processing.
663</para>
664<para>
665However, if the parent of an InputOnly window owned by an untrusted client
666is the root window, attempts to map that window will be performed as
667expected. This is in line with the root window exceptions above.
668</para>
669</sect1>
670
671<sect1 id='Image_Security'>
672<title>Image Security</title>
673
674<para>
675It should be impossible for an untrusted client to retrieve the image
676contents of a trusted window unless a trusted client takes action to allow
677this. We introduce the following defenses in support of this requirement.
678</para>
679
680<para>
681The restrictions on resource ID usage listed above prevent untrusted clients
682from using GetImage directly on windows not belonging to trusted clients.
683</para>
684
685<para>
686If an untrusted client tries to set the background-pixmap attribute of an
687untrusted window to None, the server will instead use a server-dependent
688background which must be different than None.
689</para>
690
691<para>
692The X protocol description of <function>GetImage</function> states that the
693returned contents of regions of a window obscured by noninferior windows are
694undefined if the window has no backing store. Some implementations return the
695contents of the obscuring windows in these regions. When an untrusted client
696uses <function>GetImage</function>, this behavior is forbidden; the server must
697fill the obscured regions in the returned image with a server-dependent pattern.
698</para>
699
700<para>
701If an untrusted window has trusted inferiors, their contents are vulnerable
702to theft via <function>GetImage</function> on the untrusted parent, as well
703as being vulnerable to destruction via drawing with subwindow-mode
704IncludeInferiors on the untrusted parent. An untrusted window having trusted
705inferiors can only occur at the request of a trusted client. It is expected
706to be an unusual configuration.
707</para>
708
709</sect1>
710
711<sect1 id='Property_Security'>
712<title>Property Security</title>
713
714<para>
715Unlike the other security provisions described in this document, security for
716property access is not amenable to a fixed policy because properties are
717used for inter-client communication in diverse ways and may contain data of
718varying degrees of sensitivity. Therefore, we only list the possible
719restrictions the server may decide to impose on use of properties on trusted
720windows by untrusted clients. How the server chooses which restrictions from
721this list to apply to a particular property access is implementation dependent
722  <footnote><para>
723In the X Consortium server implementation, property access is controlled by
724a configuration file; see the -sp option in the Xserver(1) manual page.
725  </para></footnote>.
726</para>
727
728<para>The X Protocol property requests are
729<function>ChangeProperty</function>,
730<function>GetProperty</function>,
731<function>DeleteProperty</function>,
732<function>RotateProperties</function>, and
733<function>ListProperties</function>. For these requests, the server can
734allow the request to execute normally (as if it had been issued by a
735trusted client), ignore the request completely (as if it were a NoOperation),
736or ignore the request except to send an Atom error to the client. Ignoring
737a <function>ListProperties</function> request means replying that
738the window has no properties. <function>ListProperties</function> may also
739reply with a subset of the existing properties if the server is doing
740property hiding; see below. An ignored <function>GetProperty</function>
741request may reply that the property does not exist, or that it exists but
742contains no data.
743</para>
744
745<para>
746The server may decide to hide certain properties on certain windows from
747untrusted clients
748  <footnote><para>
749The X Consortium server implementation does not currently provide a way to
750hide properties.
751  </para></footnote>.
752If a property is to be hidden, it must be done consistently to avoid
753confusing clients.  This means that for untrusted clients:
754</para>
755
756<itemizedlist>
757  <listitem>
758    <para>
759That property should not be returned by
760<function>ListProperties</function>.
761    </para>
762  </listitem>
763  <listitem>
764    <para>
765<function>PropertyNotify</function> events should not be sent for that
766property.</para>
767    </listitem>
768  <listitem>
769    <para>
770<function>GetProperty</function> on that property should reply that the
771property does not exist (the return type is None, the format and
772bytes-after are zero, and the value is empty).
773    </para>
774  </listitem>
775</itemizedlist>
776
777<para>
778For a property that the server is protecting but not hiding, consistency
779must also be maintained:
780</para>
781
782<itemizedlist>
783  <listitem>
784    <para>
785That property should be returned by <function>ListProperties</function>.
786    </para>
787  </listitem>
788  <listitem>
789    <para>
790<function>PropertyNotify</function> events should be sent for that property.
791    </para>
792  </listitem>
793  <listitem>
794    <para>
795<function>GetProperty</function> on that property should reply that the
796property exists (if it really does) but the value is empty
797(return type and format are their real values, and the "length of value"
798field in the reply is zero).
799    </para>
800  </listitem>
801</itemizedlist>
802
803</sect1>
804
805<sect1 id='Miscellaneous_Security'>
806<title>Miscellaneous Security</title>
807
808<para>
809If an untrusted client attempts to use
810<function>ChangeHosts</function>,
811<function>ListHosts</function>, or
812<function>SetAccessControl</function>,
813the only effect is that the client receives an Access error.
814</para>
815
816<para>
817If an untrusted client attempts to use <function>ConvertSelection</function>
818on a selection with a trusted selection owner window, the server generates
819a SelectionNotify event to the requestor with property None.
820</para>
821</sect1>
822</chapter>
823
824<chapter id='New_Authorization_Method'>
825<title>New Authorization Method</title>
826
827<para>
828This extension includes a new authorization method named
829"XC-QUERY-SECURITY-1".  Its purpose is to allow an external agent such as
830the X firewall proxy to probe an X server to determine whether that server
831meets certain security criteria without requiring the agent to have its
832own authorization for that server. The agent may use the returned information
833to make a decision. For example, the X firewall proxy may choose not to
834forward client connections to servers that do not meet the criteria.
835</para>
836
837<para>
838To use this authorization method, the client (or proxy) sends
839"XC-QUERY-SECURITY-1" as the authorization-protocol-name in the initial
840connection setup message. The authorization-protocol-data may be empty or
841may contain additional security criteria described below. If the success
842field of the server's reply is Authenticate, the server supports the
843security extension, and the server meets all specified additional security
844criteria. In this case, the client should resend the initial connection
845setup message substituting the authorization protocol name and data
846that should be used to authorize the connection. If the success field of the
847server's reply is anything other than Authenticate, either the server does not
848support the security extension, does not meet (or cannot determine if it
849meets) all of the additional security criteria, or chooses for internal reasons
850not to answer with Authenticate. In this case, the client should close the
851connection.
852</para>
853
854<para>
855If the authorization-protocol-data sent with "XC-QUERY-SECURITY-1" is not
856empty, it specifies additional security criteria for the server to check, as
857follows.
858</para>
859
860<para>
861<function>authorization-protocol-data</function>
862</para>
863
864<informaltable frame='none'>
865  <?dbfo keep-together="always" ?>
866  <tgroup cols='2' align='left' colsep='0' rowsep='0'>
867  <colspec colname='c1' colwidth="1.0*"/>
868  <colspec colname='c2' colwidth="1.5*"/>
869    <tbody>
870      <row>
871        <entry>
872          <para>policy-mask</para>
873        </entry>
874        <entry>
875          <para>BITMASK</para>
876        </entry>
877      </row>
878      <row>
879        <entry>
880          <para>policies</para>
881        </entry>
882        <entry>
883          <para>LISTofSECURITYPOLICY</para>
884        </entry>
885      </row>
886    </tbody>
887  </tgroup>
888</informaltable>
889
890<para>
891The policy-mask field is any logical-OR combination of the constants
892Extensions and SitePolicies. For each bit set in policy-mask, there is a
893SECURITYPOLICY element in policies. The nth element in policies corresponds
894to the nth 1-bit in policy-mask, counting upward from bit 0.
895</para>
896
897<para><function>SECURITYPOLICY</function></para>
898
899<informaltable frame='none'>
900  <?dbfo keep-together="always" ?>
901  <tgroup cols='2' align='left' colsep='0' rowsep='0'>
902  <colspec colname='c1' colwidth="1.0*"/>
903  <colspec colname='c2' colwidth="1.5*"/>
904    <tbody>
905      <row>
906        <entry>
907          <para>policy-type</para>
908        </entry>
909        <entry>
910          <para>{Disallow, Permit}</para>
911        </entry>
912      </row>
913      <row>
914        <entry>
915          <para>names</para>
916        </entry>
917        <entry>
918          <para>LISTofSTR</para>
919        </entry>
920      </row>
921    </tbody>
922  </tgroup>
923</informaltable>
924
925<para>
926For a SECURITYPOLICY corresponding to policy-mask Extensions, if
927policy-type is Disallow the server is required to consider as insecure
928all extensions given in names.  No policy is specified for extensions
929not listed in names. If policy-type is Permit the server may consider
930only those extensions given in names to be secure; all other extensions
931must be treated as insecure. If these constraints are not met, the server
932should not return Authenticate in the success field of the reply.
933Servers can but need not dynamically configure themselves in response
934to an Extensions SECURITYPOLICY; a conforming server might simply compare
935the policy with a compiled-in table of extensions and their security status.
936</para>
937
938<para>
939For a SECURITYPOLICY corresponding to policy-mask SitePolicies, policy-type
940Disallow means the server must not have been configured with any of the site
941policies given in names. Policy-type Permit means the server must have
942been configured with at least one of the site policies given in names. If
943these constraints are not met, the server should not return Authenticate in
944the success field of the reply.
945</para>
946
947<para>
948SitePolicies provide a way to express new forms of security-relevant
949information that could not be anticipated at the time of this writing.
950For example, suppose the server is found to have a critical security defect.
951When a fix is developed, a site policy string could be associated with the
952fix. Servers with the fix would advertise that site policy, and the X
953firewall proxy would specify that site policy in a SECURITYPOLICY with
954policy-type Permit.
955</para>
956
957</chapter>
958
959<chapter id='Encoding'>
960<title>Encoding</title>
961
962<para>
963Please refer to the X11 Protocol Encoding document as this section
964uses syntactic conventions and data types established there.
965</para>
966
967<para>
968The name of this extension is "SECURITY".
969</para>
970
971<sect1 id='Types'>
972<title>Types</title>
973<para>
974AUTHID: CARD32
975</para>
976</sect1>
977
978<sect1 id='Request_Encoding'>
979<title>Request Encoding</title>
980
981<para>
982SecurityQueryVersion
983</para>
984<literallayout remap='FD'>
9851         CARD8         major-opcode
9861         0                minor-opcode
9872         2              request length
9882         CARD16        client-major-version
9892         CARD16        client-minor-version
990=>
9911         1     Reply
9921               unused
9932         CARD16    sequence number
9944         0     reply length
9952         CARD16    server-major-version
9962         CARD16    server-minor-version
99720                            unused
998</literallayout>
999
1000<para>
1001<function>SecurityRevokeAuthorization</function>
1002</para>
1003
1004<literallayout remap='FD'>
10051         CARD8          major-opcode
10061         2                  minor-opcode
10072         2                  request length
10084         AUTHID         authorization-id
1009</literallayout>
1010
1011<para>
1012SecurityGenerateAuthorization
1013</para>
1014
1015<literallayout remap='FD'>
10161         CARD8              major-opcode
10171         1                      minor-opcode
10182         3 + (m+n+3)/4 + s  request length
10192         CARD16             m, number of bytes in authorization protocol name
10202         CARD16             n, number of bytes in authorization data
1021m        STRING8             authorization protocol name
1022n         STRING8            authorization protocol data
1023p                                  unused, p=pad(m+n)
10244         BITMASK          value-mask (has s bits set to 1)
1025       #x00000001          timeout
1026       #x00000002          trust-level
1027       #x00000004          group
1028       #x00000008          event-mask
10294s        LISTofVALUE       value-list
1030</literallayout>
1031
1032<para>
1033VALUES
1034</para>
1035<literallayout remap='FD'>
10364      CARD32        timeout
10374                          trust-level
1038       0                   SecurityClientTrusted
1039       1                   SecurityClientUntrusted
10404      XID              group
10410                          None
10424      CARD32           event-mask
1043       #x00000001       SecurityAuthorizationRevoked
1044=>
10451         1               Reply
10461                         unused
10472         CARD16     sequence number
10484         (q+3)/4        reply length
10494         AUTHID       authorization-id
10502         CARD16       data-length
105118                        unused
1052q         STRING8      authorization-data-return
1053r                         unused, r=pad(q)
1054</literallayout>
1055
1056</sect1>
1057
1058<sect1 id='Event_Encoding'>
1059<title>Event Encoding</title>
1060<para>
1061<function>SecurityAuthorizationRevoked</function>
1062</para>
1063
1064<literallayout remap='FD'>
10651         0+extension event base        code
10661                                                 unused
10672         CARD16                             sequence number
10684         AUTHID                             authorization id
106924                                                unused
1070</literallayout>
1071
1072</sect1>
1073
1074<sect1 id='Authorization_Method_Encoding'>
1075<title>Authorization Method Encoding</title>
1076
1077<para>
1078For authorization-protocol-name "XC-QUERY-SECURITY-1", the
1079authorization-protocol-data is interpreted as follows:
1080</para>
1081
1082<para>
1083<function>authorization-protocol-data</function>
1084</para>
1085<literallayout remap='FD'>
10861         BITMASK                              policy-mask
1087          #x00000001            Extensions
1088          #x00000002            SitePolicies
1089m        LISTofSECURITYPOLICY                  policies
1090</literallayout>
1091
1092<para>
1093<function>SECURITYPOLICY</function>
1094</para>
1095
1096<literallayout remap='FD'>
10971                                                             policy-type
1098          0                         Permit
1099          1                         Disallow
11001         CARD8                                          number of STRs in names
1101n         LISTofSTR                                      names
1102</literallayout>
1103
1104<para>
1105LISTofSTR has the same encoding as in the X protocol: each STR is a single
1106byte length, followed by that many characters, and there is no padding or
1107termination between STRs.
1108</para>
1109</sect1>
1110
1111</chapter>
1112<chapter id='C_Language_Binding'>
1113<title>C Language Binding</title>
1114
1115<para>
1116The header for this extension is &lt;X11/extensions/security.h&gt;. All
1117identifier names provided by this header begin with XSecurity.
1118</para>
1119
1120<para>
1121All functions that have return type Status will return nonzero for
1122success and zero for failure.
1123</para>
1124
1125<funcsynopsis id='XSecurityQueryExtension'>
1126<funcprototype>
1127  <funcdef>Status <function>XSecurityQueryExtension</function></funcdef>
1128    <paramdef>Display <parameter> *dpy</parameter></paramdef>
1129    <paramdef>int <parameter> *major_version_return</parameter></paramdef>
1130    <paramdef>int <parameter> *minor_version_return</parameter></paramdef>
1131</funcprototype>
1132</funcsynopsis>
1133
1134<para>
1135<xref linkend='XSecurityQueryExtension' xrefstyle='select: title'/> sets major_version_return and
1136minor_version_return to the major and minor Security protocol version
1137supported by the server. If the Security library is compatible with the
1138version returned by the server, it returns nonzero. If dpy does not support
1139the Security extension, or if there was an error during communication with
1140the server, or if the server and library protocol versions are incompatible,
1141it returns zero. No other XSecurity functions may be called before this
1142function. If a client violates this rule, the effects of all subsequent
1143XSecurity calls that it makes are undefined.
1144</para>
1145
1146<funcsynopsis id='XSecurityAllocXauth'>
1147<funcprototype>
1148  <funcdef>Xauth *<function>XSecurityAllocXauth</function></funcdef>
1149    <paramdef><parameter>void</parameter></paramdef>
1150</funcprototype>
1151</funcsynopsis>
1152<para>
1153In order to provide for future evolution, Xauth structures are used to
1154pass and return authorization data, and the library provides ways to
1155allocate and deallocate them.
1156</para>
1157
1158<para>
1159<xref linkend='XSecurityAllocXauth' xrefstyle='select: title'/> must be used to allocate the
1160Xauth structure that is passed to
1161<xref linkend='XSecurityGenerateAuthorization' xrefstyle='select: title'/>.
1162</para>
1163
1164<para>
1165For the purposes of the Security extension, the Xauth structure has
1166the following fields:
1167</para>
1168
1169<informaltable frame='topbot'>
1170  <?dbfo keep-together="always" ?>
1171  <tgroup cols='3' align='left' colsep='0' rowsep='0'>
1172  <colspec colname='c1' colwidth="1.0*"/>
1173  <colspec colname='c2' colwidth="1.0*"/>
1174  <colspec colname='c3' colwidth="3.0*"/>
1175    <thead>
1176      <row rowsep="1">
1177        <entry>Type</entry>
1178        <entry>Field name</entry>
1179        <entry>Description</entry>
1180      </row>
1181    </thead>
1182    <tbody>
1183      <row>
1184        <entry>
1185          <para>unsigned short</para>
1186        </entry>
1187        <entry>
1188          <para>name_length</para>
1189        </entry>
1190        <entry>
1191          <para>number of bytes in name</para>
1192        </entry>
1193      </row>
1194      <row>
1195        <entry>
1196          <para>char *</para>
1197        </entry>
1198        <entry>
1199          <para>name</para>
1200        </entry>
1201        <entry>
1202          <para>authorization protocol name</para>
1203        </entry>
1204      </row>
1205      <row>
1206        <entry>
1207          <para>unsigned short</para>
1208        </entry>
1209        <entry>
1210          <para>data_length</para>
1211        </entry>
1212        <entry>
1213          <para>number of bytes in data</para>
1214        </entry>
1215      </row>
1216      <row rowsep="1">
1217        <entry>
1218          <para>char *</para>
1219        </entry>
1220        <entry>
1221           <para>data</para>
1222        </entry>
1223        <entry>
1224          <para>authorization protocol data</para>
1225        </entry>
1226     </row>
1227   </tbody>
1228  </tgroup>
1229</informaltable>
1230<para>
1231The Xauth structure returned by this function is initialized as follows:
1232name_length and data_length are zero, and name and data are NULL.
1233</para>
1234
1235<funcsynopsis id='XSecurityFreeXauth'>
1236<funcprototype>
1237  <funcdef>void <function>XSecurityFreeXauth</function></funcdef>
1238    <paramdef>Xauth<parameter> *auth</parameter></paramdef>
1239</funcprototype>
1240</funcsynopsis>
1241
1242<para>
1243<xref linkend='XSecurityFreeXauth' xrefstyle='select: title'/> must be used to free Xauth
1244structures allocated by
1245<xref linkend='XSecurityAllocXauth' xrefstyle='select: title'/> or returned by
1246<xref linkend='XSecurityGenerateAuthorization' xrefstyle='select: title'/>. It is the
1247caller's responsibility to fill in the name and data fields of Xauth structures
1248allocated with <xref linkend='XSecurityAllocXauth' xrefstyle='select: title'/>, so this function
1249will not attempt to free them. In contrast, all storage associated with
1250Xauth structures returned from
1251<xref linkend='XSecurityGenerateAuthorization' xrefstyle='select: title'/> will be freed by this
1252function, including the name and data fields.
1253</para>
1254
1255
1256<funcsynopsis id='XSecurityRevokeAuthorization'>
1257<funcprototype>
1258  <funcdef>Bool <function>XSecurityRevokeAuthorization</function></funcdef>
1259    <paramdef>Display<parameter> *dpy</parameter></paramdef>
1260    <paramdef>XSecurityAuthorization<parameter> auth_id</parameter></paramdef>
1261</funcprototype>
1262</funcsynopsis>
1263
1264<para>
1265<xref linkend='XSecurityRevokeAuthorization' xrefstyle='select: title'/> deletes the authorization
1266specified by auth_id, which must be a value returned in the auth_id_return
1267parameter of <xref linkend='XSecurityGenerateAuthorization' xrefstyle='select: title'/>. All
1268clients that connected with that authorization are be killed. Subsequently,
1269clients that attempt to connect using that authorization will be refused.
1270</para>
1271
1272
1273<funcsynopsis id='XSecurityGenerateAuthorization'>
1274<funcprototype>
1275  <funcdef>Xauth *<function>XSecurityGenerateAuthorization</function></funcdef>
1276    <paramdef>Display<parameter> *dpy</parameter></paramdef>
1277    <paramdef>Xauth<parameter> *auth_in</parameter></paramdef>
1278    <paramdef>unsigned long<parameter> valuemask</parameter></paramdef>
1279    <paramdef>XSecurityAutorizationAttributes <parameter> *attributes</parameter></paramdef>
1280    <paramdef>XSecurityAutorization<parameter> *auth_id_return</parameter></paramdef>
1281</funcprototype>
1282</funcsynopsis>
1283
1284<para>
1285<xref linkend='XSecurityGenerateAuthorization' xrefstyle='select: title'/> creates a new
1286authorization with the specified attributes. The auth_in argument must be
1287allocated by <xref linkend='XSecurityAllocXauth' xrefstyle='select: title'/>. The
1288name and name_length fields of auth_in should be initialized to the
1289authorization protocol name and its length in characters respectively.
1290If there is authorization data, the data and data_length fields of
1291auth_in should be initialized to the data and its length in characters
1292respectively. The library does not assume that name and data are
1293null-terminated strings. The auth_in argument must be freed with
1294<xref linkend='XSecurityFreeXauth' xrefstyle='select: title'/>.
1295</para>
1296
1297<para>
1298The XSecurityAuthorizationAttributes structure has the following fields:
1299</para>
1300
1301<informaltable frame='topbot'>
1302  <?dbfo keep-together="always" ?>
1303  <tgroup cols='3' align='left' colsep='0' rowsep='0'>
1304  <colspec colname='c1' colwidth="1.0*"/>
1305  <colspec colname='c2' colwidth="1.0*"/>
1306  <colspec colname='c3' colwidth="3.0*"/>
1307    <thead>
1308      <row rowsep="1">
1309        <entry>Type</entry>
1310        <entry>Field name</entry>
1311        <entry>Mask</entry>
1312      </row>
1313    </thead>
1314    <tbody>
1315      <row>
1316        <entry>
1317          <para>unsigned int</para>
1318        </entry>
1319        <entry>
1320          <para>trust_level</para>
1321        </entry>
1322        <entry>
1323          <para>XSecurityTrustLevel</para>
1324        </entry>
1325      </row>
1326      <row>
1327        <entry>
1328          <para>unsigned int</para>
1329        </entry>
1330        <entry>
1331          <para>timeout</para>
1332        </entry>
1333        <entry>
1334          <para>XSecurityTimeout</para>
1335        </entry>
1336      </row>
1337      <row>
1338        <entry>
1339          <para>XID</para>
1340        </entry>
1341        <entry>
1342          <para>group</para>
1343        </entry>
1344        <entry>
1345          <para>XSecurityGroup</para>
1346        </entry>
1347      </row>
1348      <row rowsep="1">
1349        <entry>
1350          <para>long</para>
1351        </entry>
1352        <entry>
1353          <para>event_mask</para>
1354        </entry>
1355        <entry>
1356          <para>XSecurityEventMask</para>
1357        </entry>
1358      </row>
1359    </tbody>
1360  </tgroup>
1361</informaltable>
1362
1363<para>
1364These correspond to the trust-level, timeout, group, and event-mask
1365described in the SecurityGenerateAuthorization protocol request. The
1366caller can fill in values for any subset of these attributes. The valuemask
1367argument must be the bitwise OR of the symbols listed in the Mask column
1368for all supplied attributes. The event_mask attribute can be None,
1369XSecurityAuthorizationRevokedMask, or XSecurityAllEventMasks. In this
1370revision of the protocol specification XSecurityAllEventMasks is equivalent
1371to XSecurityAuthorizationRevokedMask. If the caller does not need to
1372specify any attributes, the attributes argument can be NULL, and the
1373valuemask argument must be zero.
1374</para>
1375<para>
1376If the function fails, NULL is returned and auth_id_return is filled in
1377with zero.  Otherwise, a pointer to an Xauth structure is returned. The name
1378and name_length fields of the returned Xauth structure will be copies of the
1379name that was passed in, and the data and data_length fields will be set to
1380the authorization data returned by the server. The caller should not assume
1381that name and data are null-terminated strings. If no authorization data was
1382returned by the server, the data and data_length fields will be set to NULL
1383and zero respectively. The returned Xauth structure must be freed with
1384<xref linkend='XSecurityFreeXauth' xrefstyle='select: title'/>; the caller should not use any other
1385means free the structure or any of its components. The auth_id_return
1386argument will be filled in with the non-zero authorization id of the created
1387authorization.
1388</para>
1389
1390<para>
1391The XSecurityAuthorizationRevokedEvent structure has the following fields:
1392</para>
1393
1394<informaltable frame='topbot'>
1395  <?dbfo keep-together="always" ?>
1396  <tgroup cols='3' align='left' colsep='0' rowsep='0'>
1397  <colspec colname='c1' colwidth="1.0*"/>
1398  <colspec colname='c2' colwidth="1.0*"/>
1399  <colspec colname='c3' colwidth="3.0*"/>
1400    <thead>
1401      <row rowsep="1">
1402        <entry>Type</entry>
1403        <entry>Field name</entry>
1404        <entry>Description</entry>
1405      </row>
1406    </thead>
1407    <tbody>
1408      <row>
1409        <entry>
1410          <para>int</para>
1411        </entry>
1412        <entry>
1413          <para>type</para>
1414        </entry>
1415        <entry>
1416          <para>event base + XSecurityAuthorizationRevoked</para>
1417        </entry>
1418      </row>
1419      <row>
1420        <entry>
1421          <para>unsigned long</para>
1422        </entry>
1423        <entry>
1424          <para>serial</para>
1425        </entry>
1426        <entry>
1427          <para># of last request processed by server</para>
1428        </entry>
1429      </row>
1430      <row>
1431        <entry>
1432          <para>Bool</para>
1433        </entry>
1434        <entry>
1435          <para>send_event</para>
1436        </entry>
1437        <entry>
1438          <para>true if this came from SendEvent</para>
1439        </entry>
1440      </row>
1441      <row>
1442        <entry>
1443          <para>Display*</para>
1444        </entry>
1445        <entry>
1446          <para>display</para>
1447        </entry>
1448        <entry>
1449          <para>Display the event was read from</para>
1450        </entry>
1451      </row>
1452      <row rowsep="1">
1453        <entry>
1454          <para>XSecurityAuthorization</para>
1455        </entry>
1456        <entry>
1457          <para>auth_id</para>
1458        </entry>
1459        <entry>
1460          <para>revoked authorization id</para>
1461        </entry>
1462      </row>
1463    </tbody>
1464  </tgroup>
1465</informaltable>
1466</chapter>
1467</book>
1468