On Nov 2, 2015 7:05 AM, "Adam Jackson" <a...@redhat.com> wrote: > > On Fri, 2015-10-30 at 14:58 -0700, Andrew Lutomirski wrote: > > On Fri, Oct 30, 2015 at 2:48 PM, Adam Jackson <a...@redhat.com> wrote: > > > > > > Anyone running any X (or wayland) application as root in their desktop > > > session is completely bonkers and deserves every consequence of their > > > poor decision. > > > > OK, I'll bite. Why is it bonkers? > > > > It's certainly the case that *gnome* might do something ridiculous if > > you 'sudo gedit' something, but 'sudo emacs' really ought to be > > equally acceptable regardless of whether you're using the terminal or > > X frontend. > > Same reason you probably don't want to run your irc client as root: > you're trusting the server to be well-behaved, through code that isn't > expecting to need to do input validation. Consider this class of > security bug: > > http://www.x.org/wiki/Development/Security/Advisory-2013-05-23/ > > Also, at least under X, you're trusting _every other app in the > session_ to politely ignore the privileged client. There's nothing to > stop another client from blitting a deceptive image into the privileged > window, or from creating input-only children of the privileged window > and stealing its keystrokes (and forwarding them on to the privileged > app however it sees fit, which might not be unmodified).
You have the same problem with root-equivalent polkit rights. > > This is all somewhat hypothetical, granted. Certainly one can > construct scenarios where it'd be safe enough. Probably there's > selinux policy for X that could fix this kind of abuse, and wayland has > a much smaller surface for this class of bug to sneak through. > We're talking about Wayland, though. > But, why take the risk exposure, when you could simply not? > > > ISTM the straightforward solution to all of this would be for Wayland > > to allow a connection from anyone who can connect to the socket. Then > > just set permissions on the socket accordingly. > > Unless I'm missing something, there's no way to set permissions on a > unix socket such that root (or anyone else with CAP_DAC_OVERRIDE) is > rejected. > Root can connect one way or another and you can't do anything to prevent it. The socket DAC/ACL approach lets users set their own policy (e.g. Android-like things where maybe a gid is the right thing to check), and while discouraging root GUI may make sense, actively trying to prevent it seems both user-hostile and futile. --Andy > - ajax > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
