> A random app like xeyes should not be able to know mouse position at all times, for privacy reasons. (Unless you very explicitly gave xeyes super-extra permission to do that.)
The thing about xeyes isn't that its privacy invasive, is that it shows that xeyes knows what you're doing in other clients.
Got a gnome terminal root shell open? That's a privilege escalation method for any other client running on the desktop under Xorg. This itself, isn't really a problem, but chained with other attacks could be (e.g. browser escape).
> Got a gnome terminal root shell open? That's a privilege escalation method for any other client running on the desktop under Xorg. This itself, isn't really a problem, but chained with other attacks could be (e.g. browser escape).
Unless you're sandboxed up the ass, Wayland won't save you when that browser escape happens. Something I did 20 years ago to a friend as a prank that still works today on a typical Linux desktop with Wayland; wrap sudo to log the users password the next time they use it. I didn't use a browser exploit for that, but it can easily be done if you have write access to the user's environment however that happened. Wayland won't protect you from that sort of thing unless you're willing to commit to extensive sandboxing.
Wayland is a critical step in sandboxing everything on the Linux desktop up the ass. Flatpak is also part of this effort. This is where desktop computing is headed; and why what Drew DeVault called "anti-Wayland horseshit" is actually derailing a secure, easy-to-use Linux desktop.
The thing about xeyes isn't that its privacy invasive, is that it shows that xeyes knows what you're doing in other clients.
Got a gnome terminal root shell open? That's a privilege escalation method for any other client running on the desktop under Xorg. This itself, isn't really a problem, but chained with other attacks could be (e.g. browser escape).