On Fri 2019-05-03 12:45:17 +0200, intrigeri wrote:
> When we switch to Wayland (#12213) we'll need to change the way we run
> the Unsafe Browser. In particular, we won't be able to run it under
> a dedicated user anymore.
this seems problematic to me. dedicated user accounts are one of the
simplest, most reliable process isolation mechanisms in unix. I scanned
https://redmine.tails.boum.org/code/issues/12213 briefly but didn't see
any mention of a bug report/feature request to the wayland developers
about this gap, other than this FAQ:
https://fedoraproject.org/wiki/Common_F25_bugs#Running_graphical_apps_with_root_privileges_.28e.g._gparted.29_does_not_work_on_Wayland
(which seems like it's more about not wanting to leak root privs, not
about dedicated non-priv users)
i think this would be worth raising with Wayland upstream if it hasn't
been raised already, pointing out that there are good security reasons
to want to run applications under user isolation.
--dkg