On Nov 2, 2015 7:05 AM, "Adam Jackson" <ajax@redhat.com> wrote:
> On Fri, 2015-10-30 at 14:58 -0700, Andrew Lutomirski wrote:
> > On Fri, Oct 30, 2015 at 2:48 PM, Adam Jackson <ajax@redhat.com> wrote:
> > >
> > > Anyone running any X (or wayland) application as root in their desktop
> > > session is completely bonkers and deserves every consequence of their
> > > poor decision.
> >
> > OK, I'll bite.  Why is it bonkers?
> >
> > It's certainly the case that *gnome* might do something ridiculous if
> > you 'sudo gedit' something, but 'sudo emacs' really ought to be
> > equally acceptable regardless of whether you're using the terminal or
> > X frontend.
> Same reason you probably don't want to run your irc client as root:
> you're trusting the server to be well-behaved, through code that isn't
> expecting to need to do input validation.  Consider this class of
> security bug:
> http://www.x.org/wiki/Development/Security/Advisory-2013-05-23/
> Also, at least under X, you're trusting _every other app in the
> session_ to politely ignore the privileged client.  There's nothing to
> stop another client from blitting a deceptive image into the privileged
> window, or from creating input-only children of the privileged window
> and stealing its keystrokes (and forwarding them on to the privileged
> app however it sees fit, which might not be unmodified).

You have the same problem with root-equivalent polkit rights.

> This is all somewhat hypothetical, granted.  Certainly one can
> construct scenarios where it'd be safe enough.  Probably there's
> selinux policy for X that could fix this kind of abuse, and wayland has
> a much smaller surface for this class of bug to sneak through.

We're talking about Wayland, though.

> But, why take the risk exposure, when you could simply not?
> > ISTM the straightforward solution to all of this would be for Wayland
> > to allow a connection from anyone who can connect to the socket.  Then
> > just set permissions on the socket accordingly.
> Unless I'm missing something, there's no way to set permissions on a
> unix socket such that root (or anyone else with CAP_DAC_OVERRIDE) is
> rejected.

Root can connect one way or another and you can't do anything to prevent it.  The socket DAC/ACL approach lets users set their own policy (e.g. Android-like things where maybe a gid is the right thing to check), and while discouraging root GUI may make sense, actively trying to prevent it seems both user-hostile and futile.


> - ajax
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct