On Sun, Jul 09, 2017 at 02:07:06PM +0000, Johannes Lundberg wrote:
> That code gets the child's pid from the fork command. That's is not
> available in my case (Wayland client connects to Wayland server via unix
> socket).

> I can understand the security issue.. hmm will dig further tomorrow..

It seems like what Wayland wants is not a security feature, but a
feature to prevent people from building things that will not work in a
future more secure world. In this future world, operations like making a
screenshot would be privileged.

Even if the PID race is solved, it remains trivial to fake the check
(for example, fork a process that sends the initial message and then
immediately execs a "privileged" binary, or use ptrace to attach to a
"privileged" binary or launch a new copy of a "privileged" binary).

With regard to security, it would be equivalent to have the client send
the name of its binary to the server. Putting this into a low-level
Wayland library would deter people from faking the check to do things
that will not work in the future more secure world. I don't know how
invasive this would be, though.

One possible implementation of the future more secure world would be
per-application UIDs a la Android. Another one would be
Capsicum-sandboxed applications where applications receive their Wayland
sockets pre-connected by code that tells the Wayland server the
application identity.

Jilles Tjoelker
freebsd-current@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to