Web lists-archives.com

Re: When wayland spreads it looks like no more running gui's as root.




John posted on Tue, 18 Apr 2017 00:07:00 +0100 as excerpted:

> This cropped up on a forum recently. It seems a decision has been made
> to prevent any gui application being run as root.
> 
> 2nd hand info but it seems no gui app can be secure.
> 
> I get cheesed off with this sort of thing as most security
> vulnerabilities that get exploited tend to be via low level stuff
> especially when they are connected to the web or via strange things
> added to code that allow anyone to get in if they know about it.
> 
> I haven't read all of it but this thread seems to be getting a lot of
> reads
> 
>  https://forums.opensuse.org/showthread.php/524150-Executing-Dolphin-as-
root-is-not-possible
> 
> I was too annoyed to read all of it. The title sums it up.

You're taking something you read /waayyy/ out of context... after not 
reading all of it to begin with, no less.

The short version:

X wasn't designed for security and among other things, every X app can 
read what you type into any other app... and (under normal conditions) 
fake typing into other apps itself.  Also, until recently the X server 
required root privs to run in any case.

Wayland is, OTOH, designed with security in mind, to run as a normal 
user, and under normal circumstances, only the compositor will be able to 
globally read whats typed into other applications and their windows (and 
AFAIK be able to fake typing into them from other apps).

But already within X, there's authorization mechanisms such as policykit 
that are normally configured to allow logged-in users to do things (like 
setting the system clock) that would normally require root permissions, 
and these will continue to work in wayland, as wayland is designed with 
them in mind.  The nice thing about it, however, is that because unlike 
X, wayland doesn't let every app spy on the input to every other app, you 
won't be effectively shouting your password from the rooftop within 
earshot of every wayland app when you type it in, the way you are on X. 
=:^)

Now I'm not specifically sure about your headline claim, but it /does/ 
stand to reason that with the higher wayland security, you may not be 
able to /directly/ run apps as another user (including root), like you 
can on X.

But the secure model for working as another user, particularly superuser/
root, is to do what policykit and friends already do, which is split the 
functionality in half, with a secure server running on the root side and 
a client talking to it (via dbus, etc) from the user side, with a 
filtering mechanism in place that only allows certain specific commands 
thru from the user side to the superuser side.

In addition, on wayland, it's (still) possible to run multiple sessions, 
each as a different user, and there's no technical reason why root 
couldn't run its own session, under which you could run dolphin, etc.  
Now running a full session as root /is/ questionable security policy, but 
not /that/ much more than running a root dolphin on a normal user 
session, typing in the password and letting everyone see it... or not and 
letting everyone do the same thing if they want.  And just like full root 
logins now, distros would set their own defaults allowing or forbidding 
it, and individual site or systems admins could reconfigure the distro 
default to their own liking if they prefer.

So allowing a root wayland session should be a distro and ultimately 
local admin decision, just as allowing a root X or even text login 
already is.  And if necessary, you can run your root dolphin in that 
session, just as you can run a root dolphin in a root-login X session now.

Meanwhile, something that's possible now but not done as commonly, but 
which will likely be much more common on wayland, is nesting sessions.

Certainly, nested X sessions will be commonplace for many years as not 
all X-apps are going to get a wayland version right away, and some, 
particularly servantware (distributed as binary-only, no sources and 
modification and distribution is prohibited, contrast freedomware such as 
Linux, KDE, Xorg, and wayland), will likely /never/ get wayland 
versions.  So even after say five years or a decade when running nested X 
sessions isn't supported with the default install, it's extremely likely 
it'll continue to be supported with the installation of a few extra 
packages.

But I /believe/ nesting wayland within wayland is possible too, so it 
should be possible to run a root wayland session with just dolphin in it, 
nested within your normal user wayland session.  In fact, I imagine many 
distros will have that setup by default, just as they do now your dolphin 
as root, in X.

Meanwhile, all that's assuming that running a root dolphin directly 
within a user wayland won't be possible.  But as I said I'm not sure of 
that, tho it would certainly make security sense.  However, note that 
just running a root dolphin session in your user X session doesn't just 
work, either.  There's actually a lot of security stuff going on behind 
the scenes, handing off of authentication tokens to to root by placing 
them where the root dolphin app can read them and thus properly connect 
to the user X session, etc.

It's quite possible that such will actually be possible with wayland as 
well, and that the appropriate security plumbing simply hasn't been 
hooked up to make it actually work yet, so it's just as broken as 
attempting to do it in X would be without its appropriate security 
plumbing.


Bottom line, if your distro is already setting it up so you can run a 
root dolphin in your user X session, they're extremely likely to continue 
to setup something that works reasonably similarly... to the user 
anyway... in wayland.  If they can't do a direct root dolphin on a user 
wayland session like they can (with some security plumbing) in X, they'll 
probably setup a nested X or wayland root session, with dolphin running 
in it.  I know they can do that with a nested X session, and I suspect 
they can with a nested wayland session.

And there's another alternative as well, the root login wayland session, 
running dolphin from there.

But you'll definitely be able to run dolphin as root, one way or another, 
either using some method setup by the distro, or via local admin override 
of distro policy.  And just as now, if you don't like the way your distro 
handles it, there's other distros to choose from, some of which will 
handle it differently.


So nothing to be upset about.  As I said, you simply didn't read enough 
about how wayland works, either in that thread or as general research, to 
know the context.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman