From sharon at 455.co.il Sat Feb 3 22:04:48 2024 From: sharon at 455.co.il (Mayost Sharon) Date: Sun, 4 Feb 2024 00:04:48 +0200 Subject: [winswitch] Limitation to run only one application only Message-ID: <20240203220448.M25662@455.co.il> Hello I am trying to run only one app (xterm) On the server I run xpra start --html=on --start=xterm --bind-tcp=0.0.0.0:10000 The problem when I connect through a browser (HTML5) I do get xterm But in addition there is a floating menu through which it is possible to run all the programs that are on the server Is there a way to disable that the client will not have access to run software Only according to what I define for the client In my example I want the client to be able to run only XTERM Thanks From totaam at xpra.org Tue Feb 6 08:15:14 2024 From: totaam at xpra.org (Antoine Martin) Date: Tue, 6 Feb 2024 15:15:14 +0700 Subject: [winswitch] [ANNOUNCE] Xpra LTS 5.0.5 Message-ID: Hi, This update to the v5 LTS branch is quite large. The most noteworthy fixes are the window state and geometry regressions, lossy text screen updates and handling of http timeouts. There is no urgency to update if you were not affected. That said, Microsoft Windows users should always upgrade due to the large number bundled libraries (ie: updates to OpenSSL and many more network facing critical libraries) For more details, please see: https://github.com/Xpra-org/xpra/releases/tag/v5.0.5 Downloads: https://github.com/Xpra-org/xpra/wiki/Download Cheers, Antoine From vini.ipsmaker at gmail.com Fri Feb 9 17:30:18 2024 From: vini.ipsmaker at gmail.com (=?UTF-8?Q?Vin=C3=ADcius_dos_Santos_Oliveira?=) Date: Fri, 9 Feb 2024 14:30:18 -0300 Subject: [winswitch] Stop client from sending logs to server Message-ID: Is there a way to force the client to not send log messages to the server? I started to write my own scripts to run desktop apps installed in LXC containers and I use xpra to route X11 sessions: https://gitlab.com/emilua/packxd The scripts control the container output, so it's able to print all output (client and server) in the same terminal window. However the xpra-server will do the same and client output gets printed twice: 2024-02-09 14:11:05,486 Attached to xpra server at socket:///run/user/1000/packxd/rxvt/test/xpra-map/serverhostname-0 2024-02-09 14:11:05,486 (press Control-C to detach) [xpra_server] 2024-02-09 17:11:05,487 client 1 @00.405 Attached to xpra server at socket:///run/user/1000/packxd/rxvt/test/xpra-map/serverhostname-0 [xpra_server] 2024-02-09 17:11:05,487 client 1 @00.405 (press Control-C to detach) Is there a CLI option to make the client not send log messages to the server (the less the server knows about the client environment the better)? -- Vin?cius dos Santos Oliveira https://vinipsmaker.github.io/ From totaam at xpra.org Mon Feb 12 17:16:51 2024 From: totaam at xpra.org (Antoine Martin) Date: Tue, 13 Feb 2024 00:16:51 +0700 Subject: [winswitch] Limitation to run only one application only In-Reply-To: <20240203220448.M25662@455.co.il> References: <20240203220448.M25662@455.co.il> Message-ID: <8eaddf51-2a88-4ffd-b747-40d7a014fc63@xpra.org> On 04/02/2024 05:04, Mayost Sharon via shifter-users wrote: > Hello > I am trying to run only one app (xterm) > On the server I run > xpra start --html=on --start=xterm --bind-tcp=0.0.0.0:10000 > > The problem when I connect through a browser (HTML5) > I do get xterm > But in addition there is a floating menu > through which it is possible to run all the programs that are on the server > Is there a way to disable that the client will not have access to run software > Only according to what I define for the client > In my example I want the client to be able to run only XTERM It depends on how secure you want this to be and whether you want to see this menu or not. If all you want is hide this menu, there is already an option on the html5 client's `connect.html` page, you can set "floating_menu=no" and it won't be shown. If you want to customize the list of applications shown in this start menu, you can use the environment variable XPRA_MENU_LOAD_APPLICATIONS: https://github.com/Xpra-org/xpra/issues/3227#issuecomment-890442890 If you want to prevent your users from starting *any* applications from the menu, start your server with: `--start-new-commands=no` Finally, please be aware that many desktop applications require or at least use a dbus server - this opens many more possibilities for interacting with the system and potentially launching other apps. Cheers, Antoine > > Thanks > > _______________________________________________ > shifter-users mailing list > shifter-users at lists.devloop.org.uk > https://lists.devloop.org.uk/mailman/listinfo/shifter-users From vini.ipsmaker at gmail.com Sun Feb 11 13:26:24 2024 From: vini.ipsmaker at gmail.com (=?UTF-8?Q?Vin=C3=ADcius_dos_Santos_Oliveira?=) Date: Sun, 11 Feb 2024 10:26:24 -0300 Subject: [winswitch] Stop client from sending logs to server In-Reply-To: References: Message-ID: Em sex., 9 de fev. de 2024 ?s 14:30, Vin?cius dos Santos Oliveira escreveu: > Is there a way to force the client to not send log messages to the server? I found a solution to my problem. One just need to pass --remote-logging=no to xpra-attach. -- Vin?cius dos Santos Oliveira https://vinipsmaker.github.io/ From vini.ipsmaker at gmail.com Wed Feb 14 16:30:53 2024 From: vini.ipsmaker at gmail.com (=?UTF-8?Q?Vin=C3=ADcius_dos_Santos_Oliveira?=) Date: Wed, 14 Feb 2024 13:30:53 -0300 Subject: [winswitch] -nolisten local Message-ID: How to make xpra add -nolisten local to Xorg invocation? I'm running multiple xpra servers in the same network namespace and I don't want each xpra server to have access to each other's X11 sockets (auth exists, but there's still zero reason to have sockets in the abstract namespace). This link provides more info: https://tstarling.com/blog/2016/06/x11-security-isolation/ -- Vin?cius dos Santos Oliveira https://vinipsmaker.github.io/ From antoine at nagafix.co.uk Tue Feb 20 08:27:47 2024 From: antoine at nagafix.co.uk (Antoine Martin) Date: Tue, 20 Feb 2024 15:27:47 +0700 Subject: [winswitch] -nolisten local In-Reply-To: References: Message-ID: <0e632b76-7425-43bd-986f-4f85ac9e1cb8@nagafix.co.uk> On 14/02/2024 23:30, Vin?cius dos Santos Oliveira via shifter-users wrote: > How to make xpra add -nolisten local to Xorg invocation? You can just add it to your Xvfb command line in /etc/xpra, see: https://github.com/Xpra-org/xpra/blob/a3a51067e61d710d1f63b48e4bbffa66ff71ab83/fs/etc/xpra/conf.d/55_server_x11.conf.in#L32-L41 > I'm running multiple xpra servers in the same network namespace and I > don't want each xpra server to have access to each other's X11 sockets > (auth exists, but there's still zero reason to have sockets in the > abstract namespace). Incidentally, xpra v6 supports abstract sockets: https://github.com/Xpra-org/xpra/issues/4098 Which you can turn off with --bind=noabstract The default is to use peercred to filter connections. > This link provides more info: > https://tstarling.com/blog/2016/06/x11-security-isolation/ Cheers, Antoine From totaam at xpra.org Thu Feb 22 17:13:48 2024 From: totaam at xpra.org (Antoine Martin) Date: Fri, 23 Feb 2024 00:13:48 +0700 Subject: [winswitch] [ANNOUNCE] Xpra LTS 5.0.6 Message-ID: <385c8f68-38e8-4551-91bd-5572a53380c4@xpra.org> Hi, This update to the v5 LTS branch contains some important fixes. In particular: * the window management bugs were causing major issues with some applications (ie: wine) * text applications could still be blurry - especially with the html5 client, this should finally be fixed properly There is no urgency to update if you were not affected by these issues, but updating is recommended. The MacOS builds are available again with this release, thanks to Catalin Patulea for the numerous fixes. For more details, please see: https://github.com/Xpra-org/xpra/releases/tag/v5.0.6 Downloads: https://github.com/Xpra-org/xpra/wiki/Download Cheers, Antoine From vini.ipsmaker at gmail.com Tue Feb 20 16:49:25 2024 From: vini.ipsmaker at gmail.com (=?UTF-8?Q?Vin=C3=ADcius_dos_Santos_Oliveira?=) Date: Tue, 20 Feb 2024 13:49:25 -0300 Subject: [winswitch] -nolisten local In-Reply-To: <0e632b76-7425-43bd-986f-4f85ac9e1cb8@nagafix.co.uk> References: <0e632b76-7425-43bd-986f-4f85ac9e1cb8@nagafix.co.uk> Message-ID: Em ter., 20 de fev. de 2024 ?s 05:28, Antoine Martin via shifter-users escreveu: > On 14/02/2024 23:30, Vin?cius dos Santos Oliveira via shifter-users wrote: > > How to make xpra add -nolisten local to Xorg invocation? > You can just add it to your Xvfb command line in /etc/xpra, see: > https://github.com/Xpra-org/xpra/blob/a3a51067e61d710d1f63b48e4bbffa66ff71ab83/fs/etc/xpra/conf.d/55_server_x11.conf.in#L32-L41 Does xpra depend on the X11 abstract socket? If not, why have it on as the default? Isn't it just the same as -nolisten tcp? I don't quite understand xpra's codebase. I tried to add -nolisten local after these two lines to adjust the default: * https://github.com/Xpra-org/xpra/blob/05001bba3cd32b3ad9d24cccdac4f2911b0b26e3/xpra/scripts/config.py#L127 * https://github.com/Xpra-org/xpra/blob/05001bba3cd32b3ad9d24cccdac4f2911b0b26e3/xpra/scripts/config.py#L147 However it doesn't work. Does it always use the files in /etc/xpra that you mentioned? > Incidentally, xpra v6 supports abstract sockets: > https://github.com/Xpra-org/xpra/issues/4098 > Which you can turn off with --bind=noabstract This is an extra abstract socket not related to X11 socket, right? > The default is to use peercred to filter connections. This won't work for Linux containers using unprivileged user namespaces. For unprivileged user namespaces you can only use/map your own UID so every container will have the same UID even if you're trying to create containers isolated from each other. Unprivileged user namespaces can't configure network stacks so you either disable the network completely or every container shares the same network namespace (and the same abstract UNIX socket addressing space). These container limitations can be partially overcome by SUID helpers (e.g. newuidmap and slirp4netns). However it doesn't mean that peercreds alone for this purpose are safe. Enabling abstract sockets indiscriminately isn't safe. Users wishing to make use of the abstract UNIX sockets can proceed to do so only after careful planning taking the interactions of the system as a whole into consideration to make sure the feature will be safe. -- Vin?cius dos Santos Oliveira https://vinipsmaker.github.io/ From totaam at xpra.org Sat Feb 24 14:16:08 2024 From: totaam at xpra.org (Antoine Martin) Date: Sat, 24 Feb 2024 21:16:08 +0700 Subject: [winswitch] [ANNOUNCE] xpra-html5 v11.1 Message-ID: <2702cf84-c56d-4f65-9d89-c1f944c41e31@xpra.org> Hi, This new release of the xpra-html5 client only contains a few fairly minor fixes. Some of the 11.0 builds had failed so this also ensures that all platforms now have up to date packages. For more details, please see: https://github.com/Xpra-org/xpra-html5/releases/tag/v11.1 Cheers, Antoine From totaam at xpra.org Wed Feb 28 15:09:53 2024 From: totaam at xpra.org (Antoine Martin) Date: Wed, 28 Feb 2024 22:09:53 +0700 Subject: [winswitch] [ANNOUNCE] Xpra LTS 5.0.7 Message-ID: Hi, This update to the v5 LTS branch contains no critical fixes. Some of the backports in v5.0.6 caused regressions on platforms with older Python versions, notably RHEL 8 and clones. There is no urgency to update if you were not affected by these issues. For more details, please see: https://github.com/Xpra-org/xpra/releases/tag/v5.0.7 Downloads: https://github.com/Xpra-org/xpra/wiki/Download Cheers, Antoine