clipboard integration -- possible security implications

William Hubbs w.d.hubbs at gmail.com
Tue Oct 20 17:00:34 EDT 2009


All,

There have been a couple of requests to integrate the speakup cut/paste
functionality with the X clipboard so that cutting something to the
speakup clipboard also puts that data on the x clipboard and vice versa
so that you could cut and paste between the console and the gui.

Chris and I were discussing this today on IRC and we think there are
possible security implications.

The first concern is that X is multi user.  I don't know if orca works
this way, but it is possible for multiple users to run X servers on one
computer and have the displays redirected to their own computers.
If we were to modify X so that putting something on an X clipboard
would also put it in speakup's clipboard, there is no way to know what
would be in speakup's clipboard at any point in a multi user situation.

We also thought about exposing the speakup clipboard as a sys file so
you could just access it with xclip and copy it into the X clipboard.
The concern is that in order for this to be useful, it would have to be
either group or world readable so that you didn't have to become root
every time you wanted to copy from the speakup clipboard to the gnome
clipboard.  Since you can store any information, including personal
information, in the clipboard, this opens up a security hole.  Someone
could read the sys file without you knowing about it and they would have
whatever information was in the file when they read it.

Any feedback, comments, etc are welcome.  Please let us know what you
think.

William




More information about the Speakup mailing list