oss-sec mailing list archives
Re: Privileged File Access from Desktop Applications
From: Matthias Gerstner <mgerstner () suse de>
Date: Thu, 11 Jul 2019 15:57:02 +0200
Hello,
So these links seem to say that things have been structured so you *can't* run GUI apps as root, not that there is a special or unusual security problem in Wayland if you run an application as root; if you logged in as root, you could run GUI applications as root. That's rather different from the original statement. Am I misunderstanding?
running GUI applications as root is often considered bad practice. Some reasons may be things like: - the graphic system itself not being safely designed for this case. - the GUI applications are usually large programs that don't consider security a lot or do not work securely when run with root privileges, because this use case has never been considered by the developers. Some GUI applications even actively refuse to start as root for those reasons, even if it was possible with traditional X. Anyways, our report did not intend to discuss whether it is a good idea to run GUI applications as root and also not to judge whether it is a good idea for Wayland to prohibit doing so. However, it is a matter of fact that Wayland in its current form does not allow it. There is a number of GUI applications around that are traditionally run as root. Typical use cases are for example system configuration tools that need root privileges for practically everything they do, except for displaying the GUI elements. Also file browsers often did have or still have a feature to start them as root for being able to deal with privileged files. All of this becomes impossible when running on Wayland. And for these reasons GUI application developers try to find alternatives to provide these features to users. Having a separate privileged backend for logical operations and an unprivileged frontend for display purposes is generally a good idea and a benefit to overall application design and security. Even though such a design can add its own share of complexity (the inter-process communication for example, often covered by frameworks of some kind these days). The frameworks we brought up in our report are fully generalized backends for performing privileged file operations, however, which is a different story again. I suppose this route was chosen to allow existing applications to be quickly ported to scenarios like running on Wayland without changing the actual application design. And that could exactly be the point where security suffers as outlined in our report. Cheers Matthias
Attachment:
signature.asc
Description:
Current thread:
- Privileged File Access from Desktop Applications Malte Kraus (Jul 09)
- Re: Privileged File Access from Desktop Applications Perry E. Metzger (Jul 09)
- Re: Privileged File Access from Desktop Applications Perry E. Metzger (Jul 10)
- Re: Privileged File Access from Desktop Applications Malte Kraus (Jul 11)
- Re: Privileged File Access from Desktop Applications Perry E. Metzger (Jul 11)
- Re: Privileged File Access from Desktop Applications Matthias Gerstner (Jul 11)
- Re: Privileged File Access from Desktop Applications Malte Kraus (Jul 11)
- Re: Privileged File Access from Desktop Applications Perry E. Metzger (Jul 11)
- Re: Privileged File Access from Desktop Applications Bob Friesenhahn (Jul 11)
- Re: Privileged File Access from Desktop Applications John Haxby (Jul 11)
- Re: Privileged File Access from Desktop Applications Simon McVittie (Jul 11)
- Re: Privileged File Access from Desktop Applications Simon McVittie (Jul 11)
- Re: Privileged File Access from Desktop Applications Perry E. Metzger (Jul 11)
- Re: Privileged File Access from Desktop Applications Jordan Glover (Jul 12)
- Re: Privileged File Access from Desktop Applications Perry E. Metzger (Jul 12)
- Re: Privileged File Access from Desktop Applications Perry E. Metzger (Jul 12)
- Re: Privileged File Access from Desktop Applications Perry E. Metzger (Jul 09)