Allow client to force server to terminate if it exits

This is intended to be used by screen lockers, where the server must exit if the screen locker does, to avoid a security hole. As suggested by Alan Coopersmith, this is implemented using a new flag for the disconnect mode of the XFixes extension. Includes wording suggestions from Peter Hutterer. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
2025-12-20 00:00:11 +01:00 · 2021-07-20 15:55:26 -04:00 · 2021-07-20 15:55:26 -04:00 · 6b1012c29c
commit 6b1012c29c
parent 5a3d5d624e
3 changed files with 35 additions and 4 deletions
--- a/fixesproto.pc.in
+++ b/fixesproto.pc.in
@ -3,6 +3,6 @@ includedir=@includedir@

 Name: FixesProto
 Description: X Fixes extension headers
-Version: 6.0
+Version: 6.1
 Cflags: -I${includedir}
 Requires: xextproto >= 7.0.99.1
--- a/fixesproto.txt
+++ b/fixesproto.txt
@ -1,5 +1,5 @@
                        The XFIXES Extension
-			    Version 5.0
+			    Version 6.1
 			 Document Revision 1
 			     2010-11-15
 			    Keith Packard
@ -666,15 +666,41 @@ when the relevant X11 clients have quit.

 		XFixesClientDisconnectFlagDefault:	    0
 		XFixesClientDisconnectFlagTerminate:	    1 << 0
+		XFixesClientDisconnectFlagForceTerminate:   1 << 1

 	XFixesClientDisconnectFlagDefault is the default behavior for
-	regular clients, i.e. the X11 server won't terminate as long as such
-	clients are still connected.
+	regular clients: the X11 server won't terminate as long as such
+	clients are still connected and no other clients trigger
+	termination.

 	XFixesClientDisconnectFlagTerminate indicates to the X11 server that
 	it can ignore the client and terminate itself even though the client
 	is still connected to the X11 server.

+	If XFixesClientDisconnectFlagForceTerminate is set at the time the
+	client disconnects, the X11 server MUST terminate and/or reset without
+	delivering further events to clients, even if other clients that have
+	not set XFixesClientDisconnectFlagTerminate are still connected.
+	Screen lockers SHOULD use this flag to ensure that the screen does not
+	unlock if they exit, which would create a security vulnerability.
+	Programs SHOULD NOT use this flag unless unexpected termination would
+	create a security vulnerability or other severe problem.
+
+	Because XFixesClientDisconnectFlagForceTerminate allows the client to
+	cause the server to terminate, it is subject to security checks to
+	prevent unauthorized use.  Servers that support the X Access Control
+	Extension (XACE) MUST deny attempts to set
+	XFixesClientDisconnectFlagForceTerminate, unless the client has
+	DixManageAccess to the server.  Servers that support the SECURITY
+	extension MUST forbid untrusted clients from setting
+	XFixesClientDisconnectFlagForceTerminate. Servers MAY refuse to allow
+	clients to set this flag for other reasons. For instance, a server
+	might only allow the flag to be set by local clients.  If the server
+	refuses to allow the client to set this flag, an Access error results.
+
+	XFixesClientDisconnectFlagForceTerminate is only available in XFixes
+	versions 6.1 and better.
+
 13.2 Requests

 SetClientDisconnectMode
--- a/include/X11/extensions/xfixeswire.h
+++ b/include/X11/extensions/xfixeswire.h
@ -146,4 +146,9 @@
 /* The server may disconnect this client to shut down */
 #define XFixesClientDisconnectFlagTerminate  (1L << 0)

+/*************** Version 6.1 ******************/
+
+/* The server must terminate if this client exits */
+#define XFixesClientDisconnectFlagForceTerminate  (1L << 1)
+
 #endif	/* _XFIXESWIRE_H_ */