Hi, Daniel Kahn Gillmor: > On Fri 2019-05-03 12:45:17 +0200, intrigeri wrote: >> When we switch to Wayland (#12213) we'll need to change the way we run >> the Unsafe Browser. In particular, we won't be able to run it under >> a dedicated user anymore.
> this seems problematic to me. dedicated user accounts are one of the > simplest, most reliable process isolation mechanisms in unix. I agree for non-GUI apps. But for GUI apps running on X11 (and probably on Xwayland), they can trivially escape that sandbox; and reciprocally, other apps can easily interact with the "sandboxed" one. So I think this isolation mechanism, that's being obsoleted here, has always been extremely weak in this context. I won't regret it much: the usual design patterns to replace it provide much better security. > I scanned > https://redmine.tails.boum.org/code/issues/12213 briefly but didn't see > any mention of a bug report/feature request to the wayland developers > about this gap, other than this FAQ: > > https://fedoraproject.org/wiki/Common_F25_bugs#Running_graphical_apps_with_root_privileges_.28e.g._gparted.29_does_not_work_on_Wayland > (which seems like it's more about not wanting to leak root privs, not > about dedicated non-priv users) (Disclaimer: I didn't study this sort of things recently and don't remember the details.) All the cases where we run a GUI app under a dedicated UID in Tails are there primarily in order to give that specific app some privileges that the desktop user ("amnesia") should not directly have, for example applying an upgrade or accessing the Internet without going through Tor. So I believe the same reasoning as for running GUI apps as root applies here as well. Granted, in the Unsafe Browser case, ideally we also want to give it a limited view of the filesystem, i.e. restrict its privileges, just like we do with AppArmor for some apps, but that's a nice bonus feature rather than a strict design requirement. > i think this would be worth raising with Wayland upstream if it hasn't > been raised already, pointing out that there are good security reasons > to want to run applications under user isolation. Possibly. Given we don't particularly need/use that privilege-restricting isolation in Tails, I won't invest time into this. It is my understanding that the active community around Wayland has made a strong commitment to namespace-based isolation solutions (e.g. bubblewrap), that have lots of interesting features which UID-based isolation lacks, so honestly I would not expect them to care much about UID-based isolation. Cheers, -- intrigeri _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.