# Windows "Secure Desktop", no equivalent in Linux?

## el muchacho

Hi,

Is this a serious security feature that lacks in the Linux world (not aware of this) ?

In Windows, the system can flip into a new Desktop mode whose handles/context run separately into the SYSTEM account, so that a normal user app cannot intercept/interfere with keys struck.

In a way it's a bit similar to how the Ctrl-Alt-Del sequence escapes from the normal signals that an app can deal with.

In the Linux/X world, i don't think this exists. It is well known that any app can capture keys  you strike, for instance your password when running sudo in a terminal. Of course if you use sandboxes you can control some system calls, for instance ptrace, and prevent processes snooping on the rest of the system.

----------

## Hu

Keyboard grabs ensure that keystrokes are passed only to the application with the grab.  XScreensaver does this.  You can direct xterm to do this prior to entering sensitive passwords.  Grabs are not normally used because most users like having keybindings for their window manager, and when the grab is in effect, the window manager keybindings do not work.

----------

## Roman_Gruber

Sorry I do not get your point!

If you do not trust the layers below you are out of luck.

And considering a windows a ssecure is total bullshit because its binary and from only one company.

And you only see it from the software side, you can compromise the hardware so the software layer above is not aware of it. 

Micronacy in redmond can call anything secure and some will believe it but I highly doubt it.

and you may research the security topic regarding bios / firmware / binaries / harddrive exploits / and much much more ...  and such and than you may realize why i stated my opinion above!

----------

## keet

 *Hu wrote:*   

> Keyboard grabs ensure that keystrokes are passed only to the application with the grab.  XScreensaver does this.  You can direct xterm to do this prior to entering sensitive passwords.  Grabs are not normally used because most users like having keybindings for their window manager, and when the grab is in effect, the window manager keybindings do not work.

 

For the sake of argument, could there be a process that runs with root privileges (or some elevated daemon) that makes sure that input goes only to the window that has focus, and be configured to allow at least some keystrokes to be redirected or shared only to the window manager (or whatever handles hotkeys)?  This sounds like what the window manager already does, except that now it is handled by an elevated process.  I should probably read more about exactly how this works.

When it comes down to it, though, it sounds like you are still trusting (a) the program that you are typing into and (b) the window manager/operating system/whatever handles the software aspect of the keystrokes, and (c) the hardware that you are using to enter input.

----------

## el muchacho

 *tw04l124 wrote:*   

> 
> 
> And considering a windows a ssecure is total bullshit because its binary and from only one company.

 

My point is not about relauching an "is Linux more secure than Windows".

My point is:

- any XWindow process can intercept any keyboard input, including the sudo password you are typing in your console.

- if you need to input an Admin password in Windows, it does so by recreating a new Desktop object, that has different handles and a different security context, making it impossible to capture the keys being hit from your normal Desktop environment where you may have a malware trying to keylog everything.

So by default, this specific feature is, or at least seems (that's why I'm asking), more secure, now if you've got precise arguments and facts to bring to the topic on how XWindow can or cannot capture keyboard input like Hu did, you're welcome.

----------

## ct85711

 *Quote:*   

> - if you need to input an Admin password in Windows, it does so by recreating a new Desktop object, that has different handles and a different security context, making it impossible to capture the keys being hit from your normal Desktop environment where you may have a malware trying to keylog everything. 

 

This part is incorrect, it's only on the software side (after the keys are decoded by the OS).  It is not hard to monitor the hardware side directly and catch the keys entered before it gets to the OS/software layer completely without any restrictions.  The issue about security is that it's fine when you are using it, but it needs to cover everything as a whole to be effective.  It's like hanging a black blanket in front of a screen.  Sure, you can't see through it, but that black blanket doesn't cover the sides or the back of the screen; allowing people to completely walk around it and bypass it.  Also this security context isn't anything new, as it's been in windows for several versions and people bypass it all the time.  All it is, is a fresh coat of paint over old code and saying "look, something shiny!".

----------

## el muchacho

 *ct85711 wrote:*   

>  It is not hard to monitor the hardware side directly and catch the keys entered before it gets to the OS/software layer completely without any restrictions. 

 

As a non-admin ?

----------

## NeddySeagoon

el muchacho,

Google keylogger and TEMPEST for two things.

Its also possible to tell what you are typing by making an audio recording of your keystrokes.

There are several demonstrations of recovering data from RAM by rebooting with a USB key and making an image of all of RAM.

Passwords still in RAM have been identified.  Its reported to work for several minutes after a machine has been poweread off.

That's without getting inside the hardware.  Once an attacker has physical access to your hardware, they can do what they want.

Security is like the layers of an onion, its not imposible to break, it makes it more difficult. The idea being that the attacker will find a another target.

Of course, if its the NSA and they want your passwords, they won't do any of this.  They will just send the boys round.

----------

## el muchacho

I'm aware of those, but that's not the point of my topic.

----------

## Hu

The X server is responsible for reading the input from hardware and passing it to an application.  The X server is not aware of the permissions of the individual programs, so there is no need for a key management process to run elevated.  I am not aware of a way, using only existing tools and features, to implement a system that allows the window manager to monitor keystrokes and forbids all other unfocused programs from monitoring keystrokes.  Such a system would be required to implement an equivalent to Windows' isolated desktop.  In general, the solution on Linux has been that you should prevent untrusted programs from connecting to the X server at all, in which case they cannot monitor keystrokes.  Under standard X server configurations, only processes with CAP_DAC_READ_SEARCH or running as the same user can access your X server authorization cookie.  This provides good enough protection if you refrain from running untrusted programs under your user ID.

----------

## baaann

Hopefully I have understood correctly, but Martin Gräßlin appears to be addressing this in Kwin?

----------

## ct85711

 *Quote:*   

> As a non-admin ?

 

How do you think keyloggers and other malware/viruses work?  All of them doesn't care about what user you are, yet they affect systems right and left without a care in the world.  There's been several times, as the windows guest account (which should be the most restrictive account), I was able to go in and change the admin's password.  Windows is notorious for redirecting people's attention away from the glaring issues, and have people look at the nice and shiny.  Sadly, they've mastered the phrase "Out of sight, out of mind" for normal people (aka mindless sheep) and ignore the people don't follow along (like all the hackers happy because they get free reins to do what they want).

----------

