On Nov 2, 2015 7:05 AM, "Adam Jackson" ajax@redhat.com wrote:
On Fri, 2015-10-30 at 14:58 -0700, Andrew Lutomirski wrote:
On Fri, Oct 30, 2015 at 2:48 PM, Adam Jackson ajax@redhat.com wrote:
Anyone running any X (or wayland) application as root in their desktop session is completely bonkers and deserves every consequence of their poor decision.
OK, I'll bite. Why is it bonkers?
It's certainly the case that *gnome* might do something ridiculous if you 'sudo gedit' something, but 'sudo emacs' really ought to be equally acceptable regardless of whether you're using the terminal or X frontend.
Same reason you probably don't want to run your irc client as root: you're trusting the server to be well-behaved, through code that isn't expecting to need to do input validation. Consider this class of security bug:
http://www.x.org/wiki/Development/Security/Advisory-2013-05-23/
Also, at least under X, you're trusting _every other app in the session_ to politely ignore the privileged client. There's nothing to stop another client from blitting a deceptive image into the privileged window, or from creating input-only children of the privileged window and stealing its keystrokes (and forwarding them on to the privileged app however it sees fit, which might not be unmodified).
You have the same problem with root-equivalent polkit rights.
This is all somewhat hypothetical, granted. Certainly one can construct scenarios where it'd be safe enough. Probably there's selinux policy for X that could fix this kind of abuse, and wayland has a much smaller surface for this class of bug to sneak through.
We're talking about Wayland, though.
But, why take the risk exposure, when you could simply not?
ISTM the straightforward solution to all of this would be for Wayland to allow a connection from anyone who can connect to the socket. Then just set permissions on the socket accordingly.
Unless I'm missing something, there's no way to set permissions on a unix socket such that root (or anyone else with CAP_DAC_OVERRIDE) is rejected.
Root can connect one way or another and you can't do anything to prevent it. The socket DAC/ACL approach lets users set their own policy (e.g. Android-like things where maybe a gid is the right thing to check), and while discouraging root GUI may make sense, actively trying to prevent it seems both user-hostile and futile.
--Andy
- ajax
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct