On Fri, 2015-10-30 at 14:58 -0700, Andrew Lutomirski wrote:
On Fri, Oct 30, 2015 at 2:48 PM, Adam Jackson <ajax(a)redhat.com>
wrote:
>
> Anyone running any X (or wayland) application as root in their desktop
> session is completely bonkers and deserves every consequence of their
> poor decision.
OK, I'll bite. Why is it bonkers?
It's certainly the case that *gnome* might do something ridiculous if
you 'sudo gedit' something, but 'sudo emacs' really ought to be
equally acceptable regardless of whether you're using the terminal or
X frontend.
Same reason you probably don't want to run your irc client as root:
you're trusting the server to be well-behaved, through code that isn't
expecting to need to do input validation. Consider this class of
security bug:
http://www.x.org/wiki/Development/Security/Advisory-2013-05-23/
Also, at least under X, you're trusting _every other app in the
session_ to politely ignore the privileged client. There's nothing to
stop another client from blitting a deceptive image into the privileged
window, or from creating input-only children of the privileged window
and stealing its keystrokes (and forwarding them on to the privileged
app however it sees fit, which might not be unmodified).
This is all somewhat hypothetical, granted. Certainly one can
construct scenarios where it'd be safe enough. Probably there's
selinux policy for X that could fix this kind of abuse, and wayland has
a much smaller surface for this class of bug to sneak through.
But, why take the risk exposure, when you could simply not?
ISTM the straightforward solution to all of this would be for
Wayland
to allow a connection from anyone who can connect to the socket. Then
just set permissions on the socket accordingly.
Unless I'm missing something, there's no way to set permissions on a
unix socket such that root (or anyone else with CAP_DAC_OVERRIDE) is
rejected.
- ajax