use Xephyr to run programs securely

2023-06-14 13:37:48 +02:00 · 2023-06-14 13:37:48 +02:00 · 11349c8a7c
commit 11349c8a7c
parent 8d0da7d78e
3 changed files with 53 additions and 4 deletions
--- a/bin/configure_template.sh
+++ b/bin/configure_template.sh
@ -22,6 +22,14 @@ pkg_add openbox neofetch xneko dillo firefox-esr chromium claws-mail-- thunar ke
 # so copied/mounted /home is ready
 rcctl disable sshd

+cat <<NESTED >/etc/stumpwmrc
+(setf *startup-message* nil)
+(defun st-kill-empty (a)
+  (if (= 0 (length (screen-windows (current-screen))))
+    (stumpwm:quit)))
+(stumpwm:add-hook stumpwm:*destroy-window-hook* 'st-kill-empty)
+NESTED
+
 cat <<NESTED >/etc/rc.local
 #!/bin/sh
 HOST=\\\$(awk '/^host-name/ { print \\\$2}' /var/db/dhcpleased/vio0)
@ -69,7 +77,7 @@ chmod +x /etc/rc.local
 halt
 EOF

-./connect.sh openbsd-template uptime
+./connect.sh openbsd-template "xterm -e /bin/sh -c 'sleep 5 && exit'"

 cat $FILE | ssh -o StrictHostKeyChecking=no root@openbsd-template.kube "cat >/$FILE"
 ssh -o StrictHostKeyChecking=no root@openbsd-template.kube "sh /$FILE"
--- a/bin/connect.sh
+++ b/bin/connect.sh
@ -38,13 +38,25 @@ then
    done
 fi

+ID=$(vmctl show "${HOST%.kube}" | awk 'END { print $2 }')
+
+# uncomment to set a dedicated X server per program
+ID="${ID}$(( $(date +%s) % 3600))"
+
 ssh-keygen -R "$HOST" >/dev/null 2>/dev/null
 if [ -n "$DISPLAY" ]
 then
    PROG="${2:-xterm}"
+
+    VM_INFO="$$ $HOST $ID $PROG"
+    echo "$VM_INFO" >> /tmp/kubes.txt
+    Xephyr -xkb-layout fr -once -terminate 1 -title "[${HOST}] - ${PROG}" -resizeable -reset -br ":${ID}" &
+    export DISPLAY=":${ID}"
+    ssh -o StrictHostKeyChecking=no -Y "user@${HOST}" "stumpwm" &
+    WAIT_FOR=$!
    ssh -o StrictHostKeyChecking=no -Y "user@${HOST}" "${PROG}"
-else
-    PROG="${2:-}"
-    ssh -o StrictHostKeyChecking=no -Y "user@${HOST}" "${PROG}"
+    wait $WAIT_FOR
+    kill $(jobs -p)
+    sed -i "/^$$/d" /tmp/kubes.txt
 fi

--- a/bin/copy_clipboard.sh
+++ b/bin/copy_clipboard.sh
@ -0,0 +1,29 @@
+#!/bin/sh
+
+SOURCE=$(zenity \
+    --list --radiolist --width=600 \
+    --title="Copy clipboard between programs" \
+    --text="Choose a clipboard to copy from" \
+    --print-column=4 \
+    --column="From" --column="PID" --column="Kube name" --column="Local X server" --column="Program running" \
+    $(awk '{ print "FALSE "$0 }' /tmp/kubes.txt))
+
+if [ -z "$SOURCE" ]
+then
+    exit 0
+fi
+
+DESTINATION=$(zenity \
+    --list --radiolist --width=600 \
+    --title="Copy clipboard between programs" \
+    --text="Choose a destination clipboard" \
+    --print-column=4 \
+    --column="To" --column="PID" --column="Kube name" --column="Local X server" --column="Program running" \
+    $(awk -v orig="${SOURCE}" '$3!=orig { print "FALSE "$0 }' /tmp/kubes.txt))
+
+if [ -z "$DESTINATION" ]
+then
+    exit 0
+fi
+
+env DISPLAY=":$SOURCE" xclip -o - | env DISPLAY=":$DESTINATION" xclip