Behold the Inherent Insecurity of X11 with a Snap Package on Ubuntu 16.04

Recently a Core OS security researcher and Linux kernel contributor named Matthew Garrett published a post pointing that Snap package on Ubuntu 16.04 with X11 display server is not secure. X11 is still the default display server on Ubuntu 16.04 desktop. He created a little Snap app on Github to prove that any Snaps in X11 environment can access other X11 application’s data.

In this post, I will show you how to install his Snap app on Ubuntu 16.04 and feel the inherent insecurity of X11. You will also learn how to create Snap apps with snapcraft in the process.

How to Install the Snap Package

First open a terminal window and install Git on Ubuntu 16.04 with this simple command:

sudo apt-get install git

Next, clone Matthew Garrett’s Github repository.

git clone https://github.com/mjg59/xevilteddy

The above command will create a new directory named xevilteddy in the current working directory. CD into that directory.

cd xevilteddy/

After that, install snapcraft.

sudo apt-get install snapcraft

Install libxtst-dev

sudo apt-get install libxtst-dev

Create the Snap package with the following command. It will create a xevilteddy_0.1_amd64.snap or xevilteddy_0.1_i386.snap file, depending on your OS architecture.

snapcraft snap

Now let’s install the newly created Snap package.

sudo snap install xevilteddy_0.1*.snap

Then run this Snap app.

/snap/bin/xevilteddy.xteddy

You should see a teddy bear on the upper left corner of your Ubuntu 16.04 desktop.

ubuntu snap package x11

And it did record my keyboard stroke while I was writing this article in Firefox! See the underlined text below.

ubuntu16.04-snap-log-keystroke

It will also warn you that Window manager wouldn’t leave the window alone and it could be using curl to send your ssh keys to a remote site. Fortunately there’s no SSH keys on my fresh Ubuntu 16.04 install.

In my test, I only see the above on a fresh Ubuntu 16.04 install. When I was testing this on a Ubuntu 16.04 machine which is upgraded from Ubuntu 15.10, I did not see the teddy bear and the Snap package did not log my keyboard stroke. Instead it produced the following error message.

Bad system call

How to Remove it From Ubuntu 16.04

To remove this snap app from Ubuntu 16.04 desktop, run the following command:

sudo snap remove xevilteddy

List your installed Snap packages with the below command.

snap list

Ubuntu 16.04 server edition does not include X11 display server by default so it’s not threatened by this security flaw. Mir and Wayland display server don’t have this security flaw. xdg-app from Gnome is a project similar to Snap, aiming to run applications in a sandbox environment. The good thing about xdg-app is that it only works with Wayland display server, because X11 is inherently insecure.

Comments, questions and suggestions are always welcome. If you find this post useful, please subscribe to our free newsletter or follow us on Google+, Twitter or like our Facebook page.

Rate this tutorial
[Total: 1 Average: 5]

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here