1

In Ubuntu, I can take a screenshot of the entire screen's content by using the 'screenshot' tool running in user space. How come that is possible? And doesn't that mean that any process can spy on the contents of the screen at any time to read sensitive information without needing root privileges?

Edit: I don't care about the screenshot program specifically. I'm just using it as an example to show that any process can read the contents on the screen without needing privileges. E.g. if i have my tax documents open, any rogue running script can just capture it without my knowledge.

2assakalan9
  • 69
  • Well you open an app that takes screenshots and have it take one. This question makes no sense.. – doug Jun 06 '20 at 16:20
  • but it could run without sudo. So this means that any process can run a script and read the screen's content. – 2assakalan9 Jun 06 '20 at 17:30
  • I'll simply put this here http://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html . Nobody really cares about isolation. It is a question of trust. – N0rbert Jun 06 '20 at 19:00
  • @N0rbert Thanks, that seems so. If you add an answer with this link I'll mark it as the accepted answer – 2assakalan9 Jun 06 '20 at 20:51
  • I'm going to assume that all the downvotes are people mad that I exposed a major security flaw in Linux. – 2assakalan9 Jun 06 '20 at 20:52
  • @Nmath "couldn't you say the same thing about your file manager being able to list all your files..." - this is not the same. I can chmod a file and not the file manager nor the notepad would be able to access it without privileges. But apparently if I read the file with root privileges and display it to the GUI, any rogue process can just capture the content directly from the screen without needing privileges. And a rogue process can come from any legit source. Do you go through every single line of code of the "legitimate" programs you install on your system? – 2assakalan9 Jun 07 '20 at 00:33
  • They are entitled to their opinion. Nothing in the original question sounded ranty. I thought I was asking a straightforward question. I couldn't find a duplicate of it (or related) anywhere on stack using basic keywords. According to N0bert's comment's blog link, not knowing this is common among linux users. – 2assakalan9 Jun 07 '20 at 00:34
  • So is your question more to do with what rogue scripts can do potentially rather than specifically capturing whatever is visible on your screen? Why should the rogue script limit its activity to just that? It could delete files, modify them, send them to me, etc. Maybe you can clarify your question? – DK Bose Jun 07 '20 at 04:17
  • My question is, why is it possible for any process not running as root to capture the contents of the screen. I can restrict, as root, user access to any file or folder (chmod 004). Therefore, a rogue process running in user domain CANNOT do anything to them. But a rogue process can still grab the content of the screen/keyboard, learn what the sudo password is, and gain root privileges. I realize now that this is because of the X window system. – 2assakalan9 Jun 07 '20 at 04:30

3 Answers3

3

After doing some research, I realized that this is an unavoidable when using the X window system, which is implemented by default on Ubuntu. Some good news is that it seems that Wayland mitigates these issues.

A really good article shared by a comment is this, explaining this security fault.

The Linux Security Circus: On GUI isolation

There certainly is one thing that most Linux users don't realize about their Linux systems... This is the lack of GUI-level isolation, and how it essentially nullifies all the desktop security. I wrote about it a few times, I spoke about it a few times, yet I still come across people who don't realize it all the time.

So, let me stress this one more time: if you have two GUI applications, e.g. an OpenOffice Word Processor, and a stupid Tetris game, both of which granted access to your screen (your X server), then there is no isolation between those two apps. Even if they run as different user accounts! Even if they are somehow sandboxed by SELinux or whatever! None, zero, null, nil!

The X server architecture, designed long time ago by some happy hippies who just thought all the people apps are good and non-malicious, simply allows any GUI application to control any other one. No bugs, no exploits, no tricks, are required. This is all by design. One application can sniff or inject keystrokes to another one, can take snapshots of the screen occupied by windows belonging to another one, etc.

If you don't believe me, I suggest you do a simple experiment. Open a terminal window, as normal user, and run xinput list, which is a standard diagnostic program for Xorg:

It will show you all the pointer and keyboard devices that your Xorg knows about. Note the ID of the device listed as "AT keyboard" and then run (as normal user):

xinput test *id*

It should now start displaying the scancodes for all the keys you press on the keyboard. If it doesn't, it means you used a wrong device ID.

Now, for the best, start another terminal window, and switch to root (e.g. using su or sudo). Notice how the xinput running as user is able to sniff all your keystrokes, including root password (for su), and then all the keystrokes you enter in your root session. Start some GUI app as root, or as different user, again notice how your xinput can sniff all the keystrokes you enter to this other app!

Yes, I can understand what is happening in your mind and heart right now... Don't worry, others have also passed through it. Feel free to hate me, throw out insults at me, etc. I don't mind, really (I just won't moderate them). When you calm down, continue reading.

In Qubes security distribution the above problem doesn't exist, because each domain (each AppVM) has it own local, isolated, dummy X server. The main X server, that runs in Dom0 and that handles the real display is never exposed to any of the AppVMs directly (AppVMs cannot connect to it via the X protocol). For details see this technical overview.

You can repeat the same experiment in Qubes. You just need to use the ID of the “qubesdev” device, as shown by xinput list (should be 7). Run the xinput in one of your domains, e.g. in the “red” one. Because we actually use the same device for both mouse and keystrokes, you should now see both the key scancodes, as well as all the mouse events. Notice how your xinput is able to sniff all the events that are destined for other apps belonging to the same domain where you run xinput, and how it is unable to sniff anything targeted to other domains, or Dom0.

BTW, Windows is the only one mainstream OS I'm aware of, that actually attempts to implement some form of GUI-level isolation, starting from Windows Vista. See e.g. this ancient article I wrote in the days when I used Vista on my primary laptop. Of course, it's still easy to bypass this isolation, because of the huge interface that is exposed to each GUI client (that also includes GPU API). Nevertheless, they at least attempt to prevent this at the architecture level.

karel
  • 114,770
2assakalan9
  • 69
  • Please return to this page after 2 days and click the gray checkmark beside your answer to mark it as accepted. The checkmark will change color from gray to green when it is clicked. – karel Jun 07 '20 at 04:36
2

You could take the time to allow no one except root user to run the screenshot program. However other programs can still see the "screen", any "monitor" and any "window" opened.

For example my little python script "reads" the screen image, gathers monitor information and controls any window:

mmm screenshot.png

The same python script also pauses/plays movies on the left monitor, adjusts brightness and color temperature on any monitor and even controls a 120 VAC light behind a TV turning it off and on.

What you deem a disadvantage or "security hole" is actually an advantage or "freedom" for others. After all, we are talking about "personal computers". Even in business settings it is often necessary for a low-power user to take a screenshot. One example is taking a program's screenshot and sending it to corporate help desk for support.

WinEunuuchs2Unix
  • 102,282
  • I don't care about the screenshot program. I was using it as an example that no root privileges are needed to read screen's content. Also, I do see this as a security risk, because any running process can read EVERYTHING the user could be working with without their knowledge. – 2assakalan9 Jun 06 '20 at 17:30
  • Is there a way to make accessing the contents of the screen require root privileges? – 2assakalan9 Jun 06 '20 at 17:33
  • About your comment on freedom, it's not like I'm against being able to screenshot the desktop, but at least make it require root privileges!!! – 2assakalan9 Jun 06 '20 at 17:44
0

Good ol' X11 is a legacy technology and not very secure in this aspect, you can even (video) capture and share the desktop, not just still images.

This is why newer alternatives like Wayland doesn't easily allow third-party apps to do these. But we, the average users, are so used to these features that not having these options breaks the usability of these alternatives for most of the average users.

Refer to this to learn more: Why is Wayland better?

pomsky
  • 68,507
  • In the context of the question this answer implies one can't take a screenshot of desktop in wayland, Not true... – doug Jun 06 '20 at 16:19
  • I didn't say that though (and neither did I even imply). From what I read it seemed to me OP's worry is rogue third-party apps taking screenshots without telling the user. – pomsky Jun 06 '20 at 16:51
  • Yes exactly, that is my worry @pomsky. – 2assakalan9 Jun 06 '20 at 17:41