Hi,
Daniel Kahn Gillmor:
> On Fri 2019-05-03 12:45:17 +0200, intrigeri wrote:
>> When we switch to Wayland (#12213) we'll need to change the way we run
>> the Unsafe Browser. In particular, we won't be able to run it under
>> a dedicated user anymore.
> this seems problematic to me. dedicated user accounts are one of the
> simplest, most reliable process isolation mechanisms in unix.
I agree for non-GUI apps. But for GUI apps running on X11 (and
probably on Xwayland), they can trivially escape that sandbox; and
reciprocally, other apps can easily interact with the "sandboxed" one.
So I think this isolation mechanism, that's being obsoleted here, has
always been extremely weak in this context. I won't regret it much:
the usual design patterns to replace it provide much better security.
> I scanned
> https://redmine.tails.boum.org/code/issues/12213 briefly but didn't see
> any mention of a bug report/feature request to the wayland developers
> about this gap, other than this FAQ:
> https://fedoraproject.org/wiki/Common_F25_bugs#Running_graphical_apps_with_root_privileges_.28e.g._gparted.29_does_not_work_on_Wayland
> (which seems like it's more about not wanting to leak root privs, not
> about dedicated non-priv users)
(Disclaimer: I didn't study this sort of things recently and don't
remember the details.)
All the cases where we run a GUI app under a dedicated UID in Tails
are there primarily in order to give that specific app some privileges
that the desktop user ("amnesia") should not directly have, for
example applying an upgrade or accessing the Internet without going
through Tor. So I believe the same reasoning as for running GUI apps
as root applies here as well.
Granted, in the Unsafe Browser case, ideally we also want to give it
a limited view of the filesystem, i.e. restrict its privileges, just
like we do with AppArmor for some apps, but that's a nice bonus
feature rather than a strict design requirement.
> i think this would be worth raising with Wayland upstream if it hasn't
> been raised already, pointing out that there are good security reasons
> to want to run applications under user isolation.
Possibly. Given we don't particularly need/use that
privilege-restricting isolation in Tails, I won't invest time into
this. It is my understanding that the active community around Wayland
has made a strong commitment to namespace-based isolation solutions
(e.g. bubblewrap), that have lots of interesting features which
UID-based isolation lacks, so honestly I would not expect them to care
much about UID-based isolation.
Cheers,
--
intrigeri