Ratpoison's IPC mechanism for a remote process requesting a command
to be run in Ratpoison only requires X11 window properties with
custom Atoms (RP_COMMAND, RP_COMMAND_REQUEST, RP_COMMAND_RESULT) set
on a window, which Ratpoison then parses and evaluates.
While this operation requires a process to have a connection to the
X11 display, it's possible that the remote process has shed its
privileges after connecting and is not able to execute shell
commands itself or control the window manager. An unprivileged
process with an X11 connection can set RP_COMMAND_REQUEST with a
value of "0exec some-command-here" and Ratpoison will exec the
command with the privileges of the Ratpoison process.
This may not be a huge security problem due to the requirement of
having the X11 connection in the first place, but I thought I'd pass
it along as something worth considering to be changed in Ratpoison.
I'm not using Ratpoison anymore but in my fork, I've switched to a
Unix domain socket for this IPC which requires more privileges than
just setting an X11 window property:
https://github.com/jcs/sdorfehs/commit/a426e8b6adb729fce85a6a7bf058e35fee8abc99.patch
