- NetBSD Manual Pages
Powered by man-cgi (2020-09-24).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.
SecurityPolicy - X Window System SECURITY Extension Policy file format
The SECURITY extension to the X Window System uses a policy file to
determine which operations should be allowed or denied. The default
location for this file is /usr/X11R7/lib/xserver/SecurityPolicy.
The syntax of the security policy file is as follows. Notation: "*"
means zero or more occurrences of the preceding element, and "+" means
one or more occurrences. To interpret <foo/bar>, ignore the text after
the /; it is used to distinguish between instances of <foo> in the next
<policy file> ::= <version line> <other line>*
<version line> ::= <string/v> '\n'
<other line > ::= <comment> | <access rule> | <site policy> | <blank line>
<comment> ::= # <not newline>* '\n'
<blank line> ::= <space> '\n'
<site policy> ::= sitepolicy <string/sp> '\n'
<access rule> ::= property <property/ar> <window> <perms> '\n'
<property> ::= <string>
<window> ::= any | root | <required property>
<required property> ::= <property/rp> | <property with value>
<property with value> ::= <property/rpv> = <string/rv>
<perms> ::= [ <operation> | <action> | <space> ]*
<operation> ::= r | w | d
<action> ::= a | i | e
<string> ::= <dbl quoted string> | <single quoted string> | <unquoted string>
<dbl quoted string> ::= <space> " <not dquote>* " <space>
<single quoted string> ::= <space> ' <not squote>* ' <space>
<unquoted string> ::= <space> <not space>+ <space>
<space> ::= [ ' ' | '\t' ]*
<not newline> ::= any character except '\n'
<not dquote> ::= any character except "
<not squote> ::= any character except '
<not space> ::= any character except those in <space>
The semantics associated with the above syntax are as follows.
<version line>, the first line in the file, specifies the file format
version. If the server does not recognize the version <string/v>, it
ignores the rest of the file. The version string for the file format
described here is "version-1" .
Once past the <version line>, lines that do not match the above syntax
<comment> lines are ignored.
<sitepolicy> lines are currently ignored. They are intended to specify
the site policies used by the XC-QUERY-SECURITY-1 authorization method.
<access rule> lines specify how the server should react to untrusted
client requests that affect the X Window property named <property/ar>.
The rest of this section describes the interpretation of an <access
For an <access rule> to apply to a given instance of <property/ar>,
<property/ar> must be on a window that is in the set of windows speci-
fied by <window>. If <window> is any, the rule applies to <prop-
erty/ar> on any window. If <window> is root, the rule applies to
<property/ar> only on root windows.
If <window> is <required property>, the following apply. If <required
property> is a <property/rp>, the rule applies when the window also has
that <property/rp>, regardless of its value. If <required property> is
a <property with value>, <property/rpv> must also have the value speci-
fied by <string/rv>. In this case, the property must have type STRING
and format 8, and should contain one or more null-terminated strings.
If any of the strings match <string/rv>, the rule applies.
The definition of string matching is simple case-sensitive string com-
parison with one elaboration: the occurrence of the character '*' in
<string/rv> is a wildcard meaning "any string." A <string/rv> can con-
tain multiple wildcards anywhere in the string. For example, "x*"
matches strings that begin with x, "*x" matches strings that end with
x, "*x*" matches strings containing x, and "x*y*" matches strings that
start with x and subsequently contain y.
There may be multiple <access rule> lines for a given <property/ar>.
The rules are tested in the order that they appear in the file. The
first rule that applies is used.
<perms> specify operations that untrusted clients may attempt, and the
actions that the server should take in response to those operations.
<operation> can be r (read), w (write), or d (delete). The following
table shows how X Protocol property requests map to these operations in
the X.Org server implementation.
GetProperty r, or r and d if delete = True
RotateProperties r and w
ListProperties none, untrusted clients can always list all properties
<action> can be a (allow), i (ignore), or e (error). Allow means exe-
cute the request as if it had been issued by a trusted client. Ignore
means treat the request as a no-op. In the case of GetProperty, ignore
means return an empty property value if the property exists, regardless
of its actual value. Error means do not execute the request and return
a BadAtom error with the atom set to the property name. Error is the
default action for all properties, including those not listed in the
security policy file.
An <action> applies to all <operation>s that follow it, until the next
<action> is encountered. Thus, irwad means ignore read and write,
GetProperty and RotateProperties may do multiple operations (r and d,
or r and w). If different actions apply to the operations, the most
severe action is applied to the whole request; there is no partial
request execution. The severity ordering is: allow < ignore < error.
Thus, if the <perms> for a property are ired (ignore read, error
delete), and an untrusted client attempts GetProperty on that property
with delete = True, an error is returned, but the property value is
not. Similarly, if any of the properties in a RotateProperties do not
allow both read and write, an error is returned without changing any
Here is an example security policy file.
# Allow reading of application resources, but not writing.
property RESOURCE_MANAGER root ar iw
property SCREEN_RESOURCES root ar iw
# Ignore attempts to use cut buffers. Giving errors causes apps to crash,
# and allowing access may give away too much information.
property CUT_BUFFER0 root irw
property CUT_BUFFER1 root irw
property CUT_BUFFER2 root irw
property CUT_BUFFER3 root irw
property CUT_BUFFER4 root irw
property CUT_BUFFER5 root irw
property CUT_BUFFER6 root irw
property CUT_BUFFER7 root irw
# If you are using Motif, you probably want these.
property _MOTIF_DEFAULT_BINDINGS rootar iw
property _MOTIF_DRAG_WINDOW root ar iw
property _MOTIF_DRAG_TARGETS any ar iw
property _MOTIF_DRAG_ATOMS any ar iw
property _MOTIF_DRAG_ATOM_PAIRS any ar iw
# The next two rules let xwininfo -tree work when untrusted.
property WM_NAME any ar
# Allow read of WM_CLASS, but only for windows with WM_NAME.
# This might be more restrictive than necessary, but demonstrates
# the <required property> facility, and is also an attempt to
# say "top level windows only."
property WM_CLASS WM_NAME ar
# These next three let xlsclients work untrusted. Think carefully
# before including these; giving away the client machine name and command
# may be exposing too much.
property WM_STATE WM_NAME ar
property WM_CLIENT_MACHINE WM_NAME ar
property WM_COMMAND WM_NAME ar
# To let untrusted clients use the standard colormaps created by
# xstdcmap, include these lines.
property RGB_DEFAULT_MAP root ar
property RGB_BEST_MAP root ar
property RGB_RED_MAP root ar
property RGB_GREEN_MAP root ar
property RGB_BLUE_MAP root ar
property RGB_GRAY_MAP root ar
# To let untrusted clients use the color management database created
# by xcmsdb, include these lines.
property XDCCC_LINEAR_RGB_CORRECTION rootar
property XDCCC_LINEAR_RGB_MATRICES rootar
property XDCCC_GRAY_SCREENWHITEPOINT rootar
property XDCCC_GRAY_CORRECTION rootar
# To let untrusted clients use the overlay visuals that many vendors
# support, include this line.
property SERVER_OVERLAY_VISUALS rootar
# Dumb examples to show other capabilities.
# oddball property names and explicit specification of error conditions
property "property with spaces" 'property with "'aw er ed
# Allow deletion of Woo-Hoo if window also has property OhBoy with value
# ending in "son". Reads and writes will cause an error.
property Woo-Hoo OhBoy = "*son"ad
Default X server security policy
Xserver(1), Security Extension Specification
X Version 11 X.Org 7.3nb20081014 SecurityPolicy(5)