Home Page

Installation Instructions

General Warning

Since this software is in development stage, it is not meant for use in production machines. Please use this software only for developing or testing purposes.

Downloading the Sources

Download the XFree86 server sources. The following table lists the source files you need to download. The files marked as optional contain the fonts and the documentation distributed with XFree86: you may optionally install those too, if you wish.

VersionRequired filesOptional Files
XFree86 4.3.0 X430src-1.tgz
XFree86 4.2.1 X420src-1.tgz
XFree86 4.2.0 X420src-1.tgz X420src-2.tgz

Unpack the XFree86 sources in a directory, e.g. ~/X. The source tree root will be ~/X/xc. (If you are using XFree86 4.2.1, apply the 4.2.0-4.2.1.diff.gz patch now)

Optionally, download the OpenSSH sources. Unpack the tar file in ~/X/openssh-sss, where sss is the current version of OpenSSH.

From the summary page of this project, download the latest version of the following files:

where vvv is a version number for each package. Make sure that xxx matches with the version of the server sources and that sss matches with the version of the OpenSSH sources (if you downloaded them).

If you instead want to use the CVS, download the server patch following these instructions.

Building the Server, the Client and (Optionally) OpenSSH

Apply the server patch by changing to the ~/X directory and running

$ gzip -dc xsupervisor-XFree86-xxx-vvv.diff.gz | patch -p0

Then, compile the server as usual (make World). You may make install, but you do not have to. You can run the server from the source tree by running XFree and Xnest in the tree: in that case, you may have to adjust the LD_LIBRARY_PATH environment variable to point to the compiled libraries path.

Unpack the client in the ~/X directory, thus creating the ~/X/xsupervisor-client-vvv directory. Change to that directory, and type xmkmf to procuce the Makefile. If you did not install XFree86, you have to type xmkmf ~/X/xc to point to the root of the source tree. Build the client with make.

If you downloaded OpenSSH and the related patch, apply the patch by changing to the ~/X directory and running

$ gzip -dc xsupervisor-openssh-sss-vvv.diff.gz | patch -p0

Build (and optionally install) OpenSSH as usual. Using the patched OpenSSH, you should able to set the new option ForwardTrustedX11 to either yes or no to mark clients from that host as respectively trusted or untrusted.

Running the Supervisor

Start the patched server (even Xnest is fine). Make sure the server is started with a X Security cookie in the auth file. Moreover, you should set the XAUTHORITY environment variable to the auth file. See the xauth man page for more information. A simple way of doing this is to run this shell script (you may have to change the first variables):


SRC=~/X/xc                        # the XFree86 source tree root
export NEW_DISPLAY=:1             # a free display number
export NEW_XAUTHORITY=~/X/Xauth   # a file for the trusted cookie

add $NEW_DISPLAY . `mcookie`
$SRC/programs/Xserver/Xnest $NEW_DISPLAY \
     -terminate -auth $NEW_XAUTHORITY &

# now start a window manager for the new server
sleep 2
$SRC/programs/twm/twm &

In the patched server, open an X terminal emulator (such as xterm) and start the supervisor client with it by running ~/X/xsupervisor-client-vvv/xsupervisor. No supervisor window should appear right now. Usually you will have to set the LD_LIBRARY_PATH environment variable to the path of the new, patched libraries. This is usually done with:

$ cd ~/X/xsupervisor-client-vvv
$ LD_LIBRARY_PATH=~X/xc/exports/lib:$LD_LIBRARY_PATH xterm \
  -e ./xsupervisor &

Testing the Supervisor

To actually see the intervention of the supervisor, you have to try to violate the server security policy with an untrusted client. For instance, you can run an untrusted client by using the patched OpenSSH and connecting to some host with the option ForwardTrustedX11 no: all the forwarded client will be untrusted.

Alternatively, if you have not built the patched OpenSSH, you can create a new untrusted terminal emulator with the following commands:

$ xauth -f ~/X/Xauth.unt generate $DISPLAY . timeout 0 untrusted
xauth:  creating new authority file ~/X/Xauth.unt
$ XAUTHORITY=~/X/Xauth.unt xterm &

All the clients launched from this terminal emulator will be untrusted too.

Now, if you try to do something that triggers the internal server policy (e.g. to copy&paste text from an utrusted client to a trusted one, or viceversa), a supervisor dialog should pop up. The dialog should disclose at least the following information:

The dialog will let you choose whether the request should be allowed or rejected.

That's all. Have fun.

Using CVS Instead of the Released Packages

Instead of downloading the XFree86 server patch file (xsupervisor-XFree86-xxx-vvv.diff.gz), you can download the latest development version from CVS. The CVS version is likely to be much less stable than the released packages, and should be used only for development. To obtain the patch, run the following commands:

$ export CVSROOT=:pserver:anonymous@cvs.xsupervisor.sourceforge.net:/cvsroot/xsupervisor
$ cvs login
Password: (press enter here)
$ cvs rdiff -u -r xf-XXX-orig -r xf-XXX xc | gzip -c > xsupervisor-XFree86-XXX-cvs.diff.gz

where XXX is the XFree86 release number as in the XFree86 CVS. For example, for the current XFree86 4.3.0, the above command should be cvs rdiff -u -r xf-4_3_0-orig -r xf-4_3_0 xc | gzip -c > xsupervisor-XFree86-4.3.0-cvs.diff.gz.

After that, apply the patch to the XFree86 tree as explained above.

Further information can be found in the project summary page.

The OpenSSH patch and the supervisor client are currently not kept in the CVS.

SourceForge Logo Valid CSS! Valid XHTML 1.0! Last update: 11 Mar 2003 by zunrob