Really... That needs explaining....

How, exactly, do you think you can confine one application from another, potentially remote, application with no way to mutually decide if the applications are authorised to connect to each other?

Protip, you can't.

By not exporting anything into the confined application's environment that is should not have access to.

That is like all containers and sandbox technologies work

And how does the application sandbox itself from that environment without being vulnerable to MiTM attacks?

In enterprise use you don't just want the user protected from the system, it's much more important to proect the system from the user.

No there is the simple Wayland protocol answer. Confine by default. This is why Wayland protocol it self does not have emulated input and many other features.

You only need to know if the applications are authorized to connect to each other if you are going to punch holes in the confinement so they can talk to each other. If you are not going to let the applications interact with each other you don't need to know the answer if they can or not because you are defaulting to not. Current design of wayland throws hole punching in confinement out to dbus.

That the other thing the X11 "server side interpreted permissions for local user and localgroup" are in reality not used to work out if applications connected to the xserver can interact with each other or not. Everything under xauth in fact only checks can you connect to server yes/no then no restriction after that. X11 protocol by default no application to application confinement at all.

X11 with XACE attempt to give some application to application confinement but this is only after setting up full blown mandatory access control and has very bad habit of making X11 applications not work at all. XACE is on a per application base not a per user base with horrible complex policy. Do remember XACE is only a half done thing so it does not have all the hooks inside X11 it should to have proper confinement. One of the holes is XACE is not correctly connected up to the opengl buffers. Guess what wayland with use of DMABUF(yes using host provided security) happens to be correctly hooked up to selinux for opengl buffers.

Yes at the time XACE was developed DRI3/DMABUF did not exist so it has stack of stuff implemented that if you did it from scratch today you would be just offloading straight to the Host OS provided security so avoiding a stack of race conditions that cause security holes.

Remember XACE is off by default.

This is the problem with X11 security is has not been modernized to use the featured added to OS kernels to address the limitations of the old methods.

Look at the current Xsecurity page mSparks. What feature there protects against MITM attacks. MIT kerberos is not part of current x.org X11 server.

Remember the topic is X11 and Wayland. Since current version of X11 and Wayland neither have MITM protection so that topic does not apply here.

untrusted X forwarding over SSH with kerberos and magic cookies plus user display server on a completely different machine than the application. All that "stuff people playing steam games" find superfluous. The whole reason Xwayland NEEDS to exist.

Like I get that wayland with none of that but higher performance would be attractive to people playing steam games, but since we NOW KNOW wayland does not have higher performance, wayland is dead.

SSH yes processes kerberos but X11 server does not these days. Magic cookies are totally not effective against MiTM. The non encrypted before ssh and after ssh or if you are running without ssh is a great target to MITM X11 forward or foolish X11 straight over network.

On unencrypted connection using kerberos is pointless Yes MITM against X11 the magic cookies do not matter

Remember
man in middle.
source-attacker-destination.
Magic cookie allows connection to open so source sends magic cookie attacker forwards magic cookie destination believes user is valid and complete misses that attacker is there.

The reality nothing you wrote says that X11 protocol/x.org xserver has any anti MITM


This is 2008 when it demoed on HPUX systems. Where a local users is able to man in middle another lcoal user who happens to be connected by ssh. The reality here MIT kerberus and MIT magic cookie of the X11 protocol does nothing to prevent it that was proved in 2008. Localuser filtering and localsocket usage required so a different user on the system cannot connect to your X11 server after they trick your application to connect to the wrong socket.

World wide writable socket made man in middle attacks against X11 possible. To absolutely prevent main in middle attacks by different users on system you need to us host security.

xWayland need to exist for legacy applications.

Waypipe over ssh or rdp over ssh are equal or better security to X11 forwarding over ssh.

Its a universal weakness of "server side interpreted" that not using encrypted transmission that it fully open to man in middle attack. 2008 was really just demo the generic case. Localuser and Localgroup are out of band checks. Everything in band like mit-kerberos-5, mit magic cookie(any form of magic cookie), usernames/passwords....area all toast if your protocol is not encrypted at the point person man in middles.
The things that stops man in middle
1) encrypted data stream.
2) host OS security

inband is anything you send to the server to have the server interpreted security process. Wayland has not implemented most of this inband stuff because people think it works when really does not.

I ask you looking a xsecurity to give me what prevent man in middle. There is only one part and it not implemented correctly.

Read though my open issue a notice the argument for not setting ACLs on the socket is that inband stuff works. Yes this also means for mit magic cookie your set xhost localuser and localgroup values are not getting checked so X11 server is open to MITM same kind as what was demoed in 2008.

The majority of deployments were never xorg-server. It is xquartz and kit like xming. (had to google xming, never did much enterprise windows stuff, probably cisco stuff used more thinking about it. X410 on WSL2 is apparently the most popular commercial version now..)

They have spent the last 10 or 15 years migrating from in house IBM servers running redhat linux to microsoft azure servers running ubuntu, but I very much doubt any of the software infrastructure has actually changed significantly, it hasn't for HPC, and the kind of organisations that had that set up are far slower to change than HPC setups.

Did not read the X410 website did you.
Xquartz, zming and X410 have the same X11 security code taken straight from x.org X11 xserver. All 3 created a world wide writeable socket. All 3 have MIT magic cookie override any localuser/localgroup filtering. All 3 have removed MIT kerberos support. X410 ssh does not support MIT kerberos either.

mSparks majority of deployments are xorg-server code particular when it comes to security code. xquartz, xming, X410 and xorg-server are all the same thing when it comes to a security audit because the security is all implemented the same way from exactly the same code..

There are X11 servers not based on xorg-server but they are rare.

You clearly never had, or you would have surely chucked that "xorg server is dead" idea before we found out that wayland does not have better performance than X11.

You can complain they are holding it wrong all you want, its not going to make them spend hundreds of millions of dollars to change something they do not consider broken to something that CANNOT do any of that by design, beyond any doubt not a hacky proof of concept written for Google Summer of Code.

Stuff like


Is coming from kit like MS exchange, NOT and NEVER their X11 based systems.