[SOLVED] How to sandboxing with Xeyphyr and comparisson with firejail

Succulent of your garden · Yesterday 00:58:43

So recently I found this https://wiki.archlinux.org/title/Xephyr and I want to know why It could be a better alternative to other tools like firejail for sandboxing, as some people suggest. Nevertheless not so sure if that's true because the man pages is also very short.

But I'm curious because it seems is not a container or a virtual machine. Does anyone is making use of Xephyr in real life instead of debugging graphical applications ?

Last edited by Succulent of your garden (Yesterday 20:27:38)

seth · Yesterday 06:21:15

a better alternative to other tools like firejail for sandboxing, as some people suggest

Xephyr is not a sandbox. It's a nested X11 server w/ pot. HW acceleration.

Xephyr in real life instead of debugging graphical applications ?

https://wiki.archlinux.org/title/Xephyr#Tips_and_tricks
https://wiki.archlinux.org/title/Xorg_m … s_hardware

Succulent of your garden · Yesterday 18:54:58

If you want the citation here it is:

https://www.youtube.com/watch?v=32O0a6qCQaQ

Go to minute 6:48 if you don't want to see all the video.

Probably she is using the downloaded wiki instead of using the current web one, since the disclaimer is not in the web version.

So what do you think Seth ? I'm really interested in the topic that is being displayed in the disclaimer. Do you think is possible using Xephyr for that ? Or I just need to stay with firejail + SELinux + capabilities church ?

Last edited by Succulent of your garden (Yesterday 18:56:25)

seth · Yesterday 19:37:15

A single pleaselikeshareandsubscribe source is not "some people" and the referenced example in the wiki is not "sandboxing" in the common sense…

You're running a dedicated X11 server to isolate some misbehaving client what provides a "sandbox" against an anecdotal misbehavor that's either a client or WM bug (event time and IIRC java relied on some fringe cooperative focus model)
You can also isolate clients from the overall "every client can see every other clients underwear" approch (event sniffing, the wiki mentions keyboard loggers) this way but even if you wanted to call that a sandbox, it's exclusively a "sandbox" on the X11 protocol - even the flatpak not-a-sandbox is more of a sandbox than that. It's utterly unsuited to insulate you from malicious processes and calling it "sandbox" raises and ENTIRELY wrong sense of security, notably w/ todays prevalence of dbus (you'd add dbus-run-session) and on any other layer that's not X11 (there's also nothing preventing the malicious client to detect the nested server, the main server and open a connection to that)

It's a second X11 server, specifically nested and with good acceleration. It does not offer any security benefits.

Succulent of your garden · Yesterday 20:27:15

Understood. Thanks for the explanation, I was curious about Xephyr and the maybe potential usage that I could do with it, but something in my intuition doesn't gave me sense about the "Sandbox" approach [Yes, forgive me about the some people approach, I had being very tired the last days, I should have done the initial post in a better approach]. But now you made clear all my doubts. So once again thanks for that.

Last edited by Succulent of your garden (Yesterday 20:33:01)

Arch Linux

#1 Yesterday 00:58:43

[SOLVED] How to sandboxing with Xeyphyr and comparisson with firejail

#2 Yesterday 06:21:15

Re: [SOLVED] How to sandboxing with Xeyphyr and comparisson with firejail

#3 Yesterday 18:54:58

Re: [SOLVED] How to sandboxing with Xeyphyr and comparisson with firejail

#4 Yesterday 19:37:15

Re: [SOLVED] How to sandboxing with Xeyphyr and comparisson with firejail

#5 Yesterday 20:27:15

Re: [SOLVED] How to sandboxing with Xeyphyr and comparisson with firejail

Board footer