Discussion My Proposal to Change Default XFCE (xfwm) Settings in dom0 for security

Hello everyone,

I’d like to initiate a discussion about my proposal to change the default settings of XFCE (xfwm) in dom0.

My proposal is to disable popups to be automatically focused and disable moving popups automatically to the any workspace that’s currently active in dom0. the reason why is that I experienced multiple times I was trying to copying credentials from vault, and a popup window steal the focus right before I hit ctrl+shift+v to paste my credentials to disposable, and the credentials got pasted to popups.

dom0 is the administrative domain in QubesOS, and its security is paramount to the overall integrity of the system. default settings should be designed with security in mind, ensuring that the risks associated in general threat models are minimized.

I believe that current default settings could introduce potential user input interception vulnerabilities that compromise the security goals of QubesOS. Maintaining strict security defaults is crucial to safeguarding the system against potential threats.

I’d love to hear your thoughts on this issue! Are there specific adjustments you think could be made?

Issue: Disable Automatic Window Focus Change by Default to Prevent Potential User Input Interception · Issue #9767 · QubesOS/qubes-issues · GitHub
PR: [qubes-issues#9767]: Adding a patch for preventing potential user input interception by rsta79 · Pull Request #20 · QubesOS/qubes-desktop-linux-xfce4-xfwm4 · GitHub

1 Like

Can’t you just disable “Automatically give focus to newly created windows”, in the Window Manager settings.

Some people actually want the window to focus.

2 Likes

That setting is too harsh though. Ideally, the Qubes OS fork of xfwm should add a patch to continue to allow another window to take focus but only if the window belongs to the same VM.

3 Likes

Yep, I have disabled that in all of my Qubes setups. but I think that could be a potential security risk.

1 Like

I like the idea.

1 Like

Just have focus after mouse clicks into the window or the mouse pointer hovers above the window.
A bit like flashy colors in early sun work stations with low video ram: Everything looked ugly but the windows with the mouse in was in perfect colors (Sun workstations of end 1990s).

So just give focus with the mouse in would be a good default option and is easy to do.

Focus hovered window approach cannot solve the security concern I’ve mentioned. the window size is controlled by the qube. means that qube can create a large window to intercepting the focus. that would poses a same risk as current default.

I think @rustybird’s idea sounds nice, It balance between UX and isolation security. but I don’t know whether people want that feature to be implemented for per qube basis, i.e. “Allow yielding focus to window in (Same qube/Any qubes/Disallow)” or “Allow took focus from window in (Same qube/Any qubes/Disallow)” or just add a global option “Preventing Focus Stealing from other qubes”. I prefer the yielding one, it can ensure that focus of a window in that specific qube cannot be moved to other window in same/other qube, depending on configuration.

@rustybird, What do you think?

I know how much of a burden forking can be on development and maintenance, and the last thing I would want is to force someone to maintain patches for XFCE…

From what I can see, the issue is that you wish to completely control the process of copying your credentials from the vault qube to another qube, and you are concerned about popup windows (which may or may not be deliberately planted) to hijack the focus at just the right moment, which is definitely a real attack vector.

I propose another solution. A qrexec call that would directly transfer the contents of one qube’s clipboard, and transfer it directly into another.

Following the idea of the vault qube (no network access), there would be very little danger in allowing the vault qube to make these qrexec calls itself.

Maybe with a corresponding dom0 terminal command as well. Think qvm-move, but more like qvm-clipboard <source-VM> <destination-VM>. Maybe with options like -t 10, for example, meaning “copy the contents to the destination qube, wait 10 seconds, and then completely overwrite the destination qube’s clipboard”. This just an example, but there could definitely be many more options for something like this.

Maybe a GUI menu in the XFCE system tray. There currently is an icon in the system tray for the global clipboard, so this could easily be implemented without much work (at least, definitely a lot less work than patching XFCE).

Less work to implement, scriptable, more difficult to get hijacked.

Just a thought.

2 Likes

having a hovered window approach following the mouse cursor which is the point of interest of the user helps to prevent mistakes. The user sees the window he points to and if it is the wrong one he should not paste or move the mouse elsewhere.

This is better than nothing a selectable behavior of the wm so having this as default is a piece of cake I guess.

Maybe whatever is simplest to implement and maintain as a patch, but really I don’t understand X11 + xfwm + the GUI protocol well enough to have an informed opinion. I already caught myself misusing the term “focus stealing” in my previous post, a term which I think only refers to windows explicitly asking the WM for focus? In contrast to receiving focus implicitly simply by popping up a new window, like in your PoC. Somehow the problem also seems to involve window stacking: If new windows are opened unfocused now but still on top, that could confuse people into accidentally typing into a lower window.

1 Like

I don’t know that very well either. but I’m doing research on xfwm codebase, probably starting to working on another PR for implementing your ideas, that shouldn’t be too hard to maintain since that xfce4 codebase is quite stable and patches in the qubes repo aren’t change frequently.

Regarding to windows stacking problem, we could make wm raise the window to the top on user input events, just like mouse clicks events, this would help to solve the problem for typing, but wouldn’t solve the concern for accidentally paste into wrong qube. because likely user will press ctrl+shift+v all at once.

and I have discovered another interesting bug is that “Prevent focus stealing” in xfwm config cannot prevent the first window spawned by disposable from stealing the focus.

Edit: XFCE has two options that may cause popups to automatically being focused, the Window Manager Tweaks > Foucs > Activate focus stealing prevention, and Window Manager > Focus > Automatically give focus to newly created windows. tweak first one to ENABLED, and last one to DISABLED fix the problem

1 Like

The problem is that window can be spawn and raised at anytime, if that window gets spawn on top right after you check the cursor and right before you hit ctrl+shift+v, you will likely ended up paste into the popup. because it in doesn’t requires user interaction(like mouse click), so that wouldn’t help to solve the concern of accidentally paste into wrong qube.

I don’t know that very well either. but I’m doing research on xfwm codebase, probably starting to working on another PR for implementing your ideas, that shouldn’t be too hard to maintain since that xfce4 codebase is quite stable and patches in the qubes repo aren’t change frequently.

It’s a cool idea! It’s solves accidentally paste problem but doesn’t solve the keyboard input interception, which is less severe, but should be mitigated as well.

1 Like

Interesting idea! That could even work for Ctrl+Shift+V, because the modifier key(s) will be pressed first (not quite all at once).

1 Like

In my mind, I perceive the hotkeys as a single action, almost like muscle memory. My concern is that users might not have enough time to respond to that. However, this might just be my personal experience though.

1 Like

“The problem is that window can be spawn and raised at anytime”
Then you have click to focus.

I always had enlightenment 16 many years ago which was my favorite WM. The one where you had two opening bars that go up and down upon starting the WM. Also this nice brushed metal design and virtual desktop features like in olwm.

Here my favorite behavior settings were hovering mouse to rise a window, and click to get focus in order to interact. This should be done als here too.

Have you tried window manager tweaks “activate focus stealing prevention”. I just found it in “window manager tweaks” in current stable wm settings for xfce.

Having experienced many WM I am a bit agnostic about favorite settings and accept many flaws before I look for a settings menue to change the behavior. So I was actively looking for the hovering and click to focus thing.

In Window Manager in tab focus you want to check “Automatically give focus to newly generated windows” because otherwhise you miss the password entry for the keyring if you read your email using evolution, as I do.
This could also steal focus.

Best is to stay focused and look twice before pasting some credentials into a window.
Also rings true for shell commands :wink:

1 Like

I mentioned before, I’ve enable focus stealing prevention, and disabled Automatically give focus to newly created windows, and this problem no longer affects on my setups. but I think that would be a security concerning defaults, and should be mitigated to provide users the stronger security defaults against this type of attacks.

1 Like