Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190711135702.GA16717@f195.suse.de>
Date: Thu, 11 Jul 2019 15:57:02 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Cc: Malte Kraus <malte.kraus@...e.com>
Subject: Re: Privileged File Access from Desktop Applications

Hello,

> So these links seem to say that things have been structured so you
> *can't* run GUI apps as root, not that there is a special or unusual
> security problem in Wayland if you run an application as root; if
> you logged in as root, you could run GUI applications as root. That's
> rather different from the original statement. Am I misunderstanding?

running GUI applications as root is often considered bad practice. Some
reasons may be things like:

- the graphic system itself not being safely designed for this case.
- the GUI applications are usually large programs that don't consider
  security a lot or do not work securely when run with root privileges,
  because this use case has never been considered by the developers.
  Some GUI applications even actively refuse to start as root for those
  reasons, even if it was possible with traditional X.

Anyways, our report did not intend to discuss whether it is a good idea
to run GUI applications as root and also not to judge whether it is a
good idea for Wayland to prohibit doing so. However, it is a matter of
fact that Wayland in its current form does not allow it.

There is a number of GUI applications around that are traditionally
run as root. Typical use cases are for example system configuration
tools that need root privileges for practically everything they do,
except for displaying the GUI elements. Also file browsers often did
have or still have a feature to start them as root for being able to
deal with privileged files. All of this becomes impossible when running
on Wayland.

And for these reasons GUI application developers try to find
alternatives to provide these features to users. Having a separate
privileged backend for logical operations and an unprivileged frontend
for display purposes is generally a good idea and a benefit to
overall application design and security. Even though such a design can
add its own share of complexity (the inter-process communication for
example, often covered by frameworks of some kind these days).

The frameworks we brought up in our report are fully generalized
backends for performing privileged file operations, however, which is a
different story again. I suppose this route was chosen to allow existing
applications to be quickly ported to scenarios like running on Wayland
without changing the actual application design. And that could exactly
be the point where security suffers as outlined in our report.

Cheers

Matthias

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.