xcage
is a simple script which makes running untrusted graphical programs in an X ‘sandbox’ easy. It uses Xnest
to start a wholly self-contained X session running inside the current X session, and then executes a given command as a different user. To get an idea of what use of xcage
looks like in practise, have a look at a screenshot of it running, with KDE as the window manager of the normal user and FVWM running inside the Xnest cage. This script requires sudo
.
Advantages | Disadvantanges |
---|---|
Much more secure than using e.g. ssh -Y -l $user localhost . | Xnest can be buggy (depending, it seems at least in part, on the X driver and how demanding your nested window manager is). |
Easily configured to run arbitrary command as an arbitrary user. | Only runs on localhost. |
Defaults can be setup in ~/.xcagerc but over-ridden on the command-line. | Can’t copy and paste between ‘main’ and ‘caged’ X session (from a security point of view this is an advantage, but it can be annoying if you’re not anticipating it). |
Runs at close-to-normal speed - much faster than VNC and similar systems. |
xcage
is part of my bin
repository; you can track xcage
’s evolution via git.
The command-line arguments are as follows:
xcage [-c <cmd>] [-u <user>] [-- <arguments for Xnest>]
Where: <cmd>
is the command to run when the caged X session is started (typically this will be a window manager); <user>
is the user to run the command as; and <arguments for Xnest>
are arguments to pass straight to Xnest
.
For example, if you wish to start an fvwm
instance as user ft
running at 1280 by 1024:
xcage -c fvwm -u ft -- -geometry 1280x1024
Defaults can be set using the ~/.xcagerc
file which is a shell file included
into xcage
. The following variables can be set where: cmd
maps to -c
,
user
maps to -u
, and xnest_args
to -- <args>
. An example ~/.xcagerc
file is as follows:
user="ft" cmd="fvwm" xnest_args="-geometry 1280x1024"
xcage
was inspired by xsandbox. xcage
aims to build upon xsandbox
’s strengths whilst also a) being more flexible in configuration and b) ensuring that the command run in the Xnest is run as if it was a genuine shell login.