Running suspicious X programs in GNU/Linux

Question

What the most harmful thing can malware program started as separate limited user account do if it has access to the X server?

Network and filesystem things are already considered by chroot and netfilter.

It obviously can lock the screen and I will need to switch to other vt and kill it manually. Can it for example disrupt other GUI programs on the same X server (access a root terminal in nearby window)?

I know that it is safer to run it in separate X server, for example, in Xtightvnc or even some virtual machine, but how dangerous is to just run it like other programs?

Answer 1

If you've already gone to the trouble of setting up a separate X server, have you considered running the program inside a nested X-server like Xnest. Then, you would completely isolate the malicious program in its own X envrionment. Or if you want to be absoutely safe, you might even consider something VirtualBox for a whole other VM.

Answer 2

Once a program has access to the X server it can virtually do everything you can do with a mouse and a keyboard. This will not be limited to this application's window should it have one, but could affect other running applications.

There are tons of applications to help people with accessibility-related problems assisting them to use the keyboard or the mouse to control their X sessions. Why should malware not do that and just pretend to be you?

Answer 3

Install Zephyr and then :

Zephyr -ac -screen 800x600 -br -reset -terminate :2 &

to run a nested/isolated x session.

Jim