For an article written late last year I hoped for a little more awareness of how massive a security hole granting full, unfiltered access to the X11 server is. Granted, any sandboxing is better than none, but firefox is one of the few apps that already sandboxes itself really well, and with a blog title like that it might be good to touch upon things like nested X servers such as Xephyr.
Correct me if I'm wrong, but passing through the X socket gives a giant sandbox escape as any application can control/see any other application, including a root terminal in a GUI app.
Hard for me to take that one seriously.. For example they call out byte swapping for endianness as the type of cruft holding back X11. Such a trivial thing to be concerned enough to put in the readme... (I guess Phoenix is also putting this..) Seems like mostly authored by Claude too.
The author of the phoenix x server has blogged about it, iirc.
Which is configured by default on what distros?
I have little experience with lxc but I guess waypipe could be an option too.
https://docs.redhat.com/en/documentation/red_hat_enterprise_...
https://github.com/X11Libre/xserver/blob/master/doc/Xnamespa...
edit: phoenix was the name: https://github.com/external-mirrors/phoenix#phoenix