Can I trace copy/paste behavior of a program with strace?
Yes, you can trace a program with strace, not sure what you mean with copy/paste.
What are you trying to accomplish and what did you already try?
I want to check some running programs who try to get the contents of clipboard.
No, you cannot do it with strace.
Basically the same question as:
The edit time-out did already hit, so therefore a follow up.
That topic is meanwhile closed but I think there is still something possible depending on which DE you are using, echo $XDG_CURRENT_DESKTOP.
Notice that the functionality you seems to want is also something malicious actors would love to have so that is a good reason to make it not that easy to accomplish.
Please explain, how malicious actors can exploit the information from which application the pasted content originates.
So, to avoid the third attempt to ask the same question Iāll try to elaborate.
The problem starts with defining āapplicationā or āprogramā. In Linux/UNIX there are processes. āApplicationā may consist of any number of related processes that somehow work together. There is no property named āapplicationā attached to these processes. So, at the best you can find out what process is providing source data.
But even this is not generally possible. X11 server works with windows, not processes. It was designed to be network transparent, so the very notion of āprocessā may not even exist on the client. Current selection data is associated with X11 window, and that is all you can get. But you may have a lot of different windows with the same name, so it does not really help.
Wayland was designed for local communication, so Wayland compositor does know (or at least can query if necessary) the client process number. But that is probably not what you really are interested in. Like X11 window IDs, process numbers are mostly meaningless to end users.
The architecture of iOS is entirely different. There is one and only one instance of any given application, each application has user visible name, so operating system has no problems associating copy/paste data with its source.
2 Likes
Thank you for your details, but it is not work for the beginner well. We donāt know the name of the application to these processes, but if the processes running when the application is opening, can I guess which name of the application causing this ? Or processes running all the time no matter the application?
Maybe there is a language barrier here and thus the concept of what is a process needs further explanation.
A process is an instance of an executable when executed. You can of course execute an executable program more times at the same moment E.g. start two konsole programs, you will see then two windows, each being the result of a process of the executable usr/bin/konsole and inside the windows you will see the prompts of Bash, thus there are two processes of bin/bash. You can see what processes are running with the tool ps. I have started to Konsoles and we see:
henk@boven:~> ps -ef |grep konsole
henk 15494 6413 0 09:39 ? 00:00:00 /usr/bin/konsole
henk 15879 6413 4 09:42 ? 00:00:00 /usr/bin/konsole
henk 15931 15508 0 09:42 pts/0 00:00:00 grep --color=auto konsole
henk@boven:~> ps -ef |grep bash
henk 15508 15494 0 09:39 pts/0 00:00:00 /bin/bash
henk 15893 15879 0 09:42 pts/1 00:00:00 /bin/bash
henk 15940 15508 0 09:42 pts/0 00:00:00 grep --color=auto bash
henk@boven:~>
Processes are identified by their Process Indentification Number (PID). Thus you see there are two processes 15494 and 15879 of /usr/bin/konsole and two processes 15508 and15893 of /bin/bash.
You can also see in the third column that process 15508 is a child process of 15494.
You see that knowing the name of the Application is not very precise because it is just a loose indication like āI run Konsoleā or āI use the shellā. One must know the name of the executable (and an Application can have more executables) and then try to find the exact process (PID) that one needs to follow.
1 Like
Is window the UI of program (Konsole, Firefoxā¦)?
Is many programs monitoring clipboard all the time? I thought is the programs like Wget?
I canāt see which /bin/bash ran by which konsole from the output of ps, but I can know is ākonsoleā caused the /bin/bash executed. So can I know which program causes clipboard action?
https://wiki.archlinux.org/title/Clipboard
Wayland uses radically different approach for realizing clipboard (than X11).
Yes, almost all user interfaces are presented in a window. They all usually have a uniform frame. Exceptions: the taskbar, the application launcher, the the login screen are not windows.
Not all programs are monitoring the clipboard at the same time, but mostly any of them can do so. strace is used to monitor process interactions with the kernel, but its not the kernel that handles the clipboard, but your window system, which is running in another process like the programs that make the windowās work.
Reading communication between processes is often harder than using strace, and that would also require a different tool. In this case, you would specifically need to monitor communication between processes and the wayland socket, with whatever tool that can do that.
According to this forum post and its comments, if you are using a Wayland session, only that program can access the clipboard thats in the foreground, but some say that its actually accessible even otherwise.
Flatpak does not limit it further either.
Also keep in mind that if you have a clipboard manager that saves clipboard history to disk, any program able to find and read that file can also read your clipboard history. KDE sessions have a widget like that (enabled by default I think) that have this as an optional functionality, but I dont know whether its the default to also store them on disk.
I canāt see which
/bin/bashran by whichkonsolefrom the output ofps, but I can know is ākonsoleā caused the/bin/bashexecuted.
You can if you request that it print processes in a tree. But graphical tools like KSysGuard on KDE can do that too. A process can also start another in a way so that it wont be a child of it in the tree, so dont rely on this for security purposes because it was not intended for that.
But finding the program that read your clipboard wont be possible with ps or KSysGuard. hcvvās example was only to examplain the concept of processes, not to explain how clipboard access works.
But I would argue that the iOS and Android models of clipboard read notifications are just a security theathre, as I assume they can read and write the clipboard when the phone is locked and you cant see it. Even Bitwarden does not clear the copied passwords from the clipboard after a delay by default. For being meaningful they would need to imlement a switchable clipboard permission (btw, theres already a permission on Android, but for some reason they dont let you grant or revoke it), and a complete history of clipboard accesses per-app and with timestamps.
1 Like
Forget to say, itās an open source software from Github, perhaps I can get its code, can I know when it try to copy clipboard into it?