Re: When wayland spreads it looks like no more running gui's as root.
- Date: Tue, 18 Apr 2017 02:20:24 +0000 (UTC)
- From: Duncan <1i5t5.duncan@xxxxxxx>
- Subject: Re: When wayland spreads it looks like no more running gui's as root.
John posted on Tue, 18 Apr 2017 00:07:00 +0100 as excerpted:
> This cropped up on a forum recently. It seems a decision has been made
> to prevent any gui application being run as root.
> 2nd hand info but it seems no gui app can be secure.
> I get cheesed off with this sort of thing as most security
> vulnerabilities that get exploited tend to be via low level stuff
> especially when they are connected to the web or via strange things
> added to code that allow anyone to get in if they know about it.
> I haven't read all of it but this thread seems to be getting a lot of
> I was too annoyed to read all of it. The title sums it up.
You're taking something you read /waayyy/ out of context... after not
reading all of it to begin with, no less.
The short version:
X wasn't designed for security and among other things, every X app can
read what you type into any other app... and (under normal conditions)
fake typing into other apps itself. Also, until recently the X server
required root privs to run in any case.
Wayland is, OTOH, designed with security in mind, to run as a normal
user, and under normal circumstances, only the compositor will be able to
globally read whats typed into other applications and their windows (and
AFAIK be able to fake typing into them from other apps).
But already within X, there's authorization mechanisms such as policykit
that are normally configured to allow logged-in users to do things (like
setting the system clock) that would normally require root permissions,
and these will continue to work in wayland, as wayland is designed with
them in mind. The nice thing about it, however, is that because unlike
X, wayland doesn't let every app spy on the input to every other app, you
won't be effectively shouting your password from the rooftop within
earshot of every wayland app when you type it in, the way you are on X.
Now I'm not specifically sure about your headline claim, but it /does/
stand to reason that with the higher wayland security, you may not be
able to /directly/ run apps as another user (including root), like you
can on X.
But the secure model for working as another user, particularly superuser/
root, is to do what policykit and friends already do, which is split the
functionality in half, with a secure server running on the root side and
a client talking to it (via dbus, etc) from the user side, with a
filtering mechanism in place that only allows certain specific commands
thru from the user side to the superuser side.
In addition, on wayland, it's (still) possible to run multiple sessions,
each as a different user, and there's no technical reason why root
couldn't run its own session, under which you could run dolphin, etc.
Now running a full session as root /is/ questionable security policy, but
not /that/ much more than running a root dolphin on a normal user
session, typing in the password and letting everyone see it... or not and
letting everyone do the same thing if they want. And just like full root
logins now, distros would set their own defaults allowing or forbidding
it, and individual site or systems admins could reconfigure the distro
default to their own liking if they prefer.
So allowing a root wayland session should be a distro and ultimately
local admin decision, just as allowing a root X or even text login
already is. And if necessary, you can run your root dolphin in that
session, just as you can run a root dolphin in a root-login X session now.
Meanwhile, something that's possible now but not done as commonly, but
which will likely be much more common on wayland, is nesting sessions.
Certainly, nested X sessions will be commonplace for many years as not
all X-apps are going to get a wayland version right away, and some,
particularly servantware (distributed as binary-only, no sources and
modification and distribution is prohibited, contrast freedomware such as
Linux, KDE, Xorg, and wayland), will likely /never/ get wayland
versions. So even after say five years or a decade when running nested X
sessions isn't supported with the default install, it's extremely likely
it'll continue to be supported with the installation of a few extra
But I /believe/ nesting wayland within wayland is possible too, so it
should be possible to run a root wayland session with just dolphin in it,
nested within your normal user wayland session. In fact, I imagine many
distros will have that setup by default, just as they do now your dolphin
as root, in X.
Meanwhile, all that's assuming that running a root dolphin directly
within a user wayland won't be possible. But as I said I'm not sure of
that, tho it would certainly make security sense. However, note that
just running a root dolphin session in your user X session doesn't just
work, either. There's actually a lot of security stuff going on behind
the scenes, handing off of authentication tokens to to root by placing
them where the root dolphin app can read them and thus properly connect
to the user X session, etc.
It's quite possible that such will actually be possible with wayland as
well, and that the appropriate security plumbing simply hasn't been
hooked up to make it actually work yet, so it's just as broken as
attempting to do it in X would be without its appropriate security
Bottom line, if your distro is already setting it up so you can run a
root dolphin in your user X session, they're extremely likely to continue
to setup something that works reasonably similarly... to the user
anyway... in wayland. If they can't do a direct root dolphin on a user
wayland session like they can (with some security plumbing) in X, they'll
probably setup a nested X or wayland root session, with dolphin running
in it. I know they can do that with a nested X session, and I suspect
they can with a nested wayland session.
And there's another alternative as well, the root login wayland session,
running dolphin from there.
But you'll definitely be able to run dolphin as root, one way or another,
either using some method setup by the distro, or via local admin override
of distro policy. And just as now, if you don't like the way your distro
handles it, there's other distros to choose from, some of which will
handle it differently.
So nothing to be upset about. As I said, you simply didn't read enough
about how wayland works, either in that thread or as general research, to
know the context.
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman