This is true, but while there are ways to prevent that they become meaningless if the X attack vector is still there.

Lets for example think about running an application on a remote host, e.g. via ssh -X.
It cannot LD_PRELOAD anything into your local processes, it cannot attach via a debugger, it cannot manipulate files that would lead any of your local processes to let it gain access, it cannot read any data on your system, no matter how unprotected it is.

So, as far as processes are concerned, this is perfect sandboxing of that application.

However, due to its connection to your X server, it has full access to all user generated events, to all screen content, etc.

Even worse, anyone with access to the remote X socket can do that, e.g. the remote system's administrator.
The security of the remote system or lack thereof can compromise yours.

This is of course also true, but again: there are measures you can take to reduce the potenial threat, from simple chroot, over running the process as a different user, to confining the process into its own container.
But why go to that trouble if you are handing that process all your input and screen content on a silver platter anyway?

The security benefit of Wayland needs to be guaged in the context of other improvements on the system level.
These would become more or less meaningless being accompanied by respective improvements on the display server side.

So basically enabling ourselves to apply access restrictions that we already have and deploy for non-GUI processes to processes with GUI.


Well, I don't know about you but I for example do not run my user session and all programs in it as root just because that has the highest flexibility as file and device access is concerned.

I explicitly like that fact that applications that need privilegded access need to ask for it or can be granted those via system mechanisms on a permanent basis, but keeping all other random programs from having it.

It isn't a matter what you can do or allow certain programs to do, it is a matter of what they can do by default.

Cheers,
_

You misread my earlier post. Screenshot and color picker -were- problems. Those problems have since been handled by letting the compositor poke holes in the security very briefly. X is insecure by mandate of X-- all clients are assumed to be trusted, Wayland is secure-by-default-- all clients, except for the compositor, are assumed to be untrusted where possible.

Our fundamental problem seems to be that we've never had a proper desktop Linux operating system, we've just had server knock offs. With various ill fitting superstructure thrown on top. The result is a mess, that can be inconvenient to use, but is not secure. That's not a dig at anybody, obviously its just as much my responsibility to make that happen as anyone else.

A single user operating system needs to be designed from the ground up, as a single user operating system. Even when we let other users use our desktop or laptop, these other users are hardly the main concern for most desktop owners. No the concern is the apps and the user space infrastructure that we install for ourselves.

I've just started playing around with servers and http. I say playing around with servers because of course your desktop distro is a server out of the box. I'm just playing at the moment, but you don't have to get far in before things start to make sense, which make no sense as a desktop user. My first dedicated server, just for the house, will probably be arch, I'm serving my own HTTP, I don't need Apache or any of that bloat ware (just kidding I know its amazingly powerful and useful for a production servers). But even Arch Base is bloated for my needs. I only need it to mount one hard drive and plug into the router.

The needs of a desktop operating system or just totally, totally different from a server. Simplicity for server is a very different kettle of fish, from simplicity for a desktop use that wants to just boot up, get on with his work, emails, browse, watch a film, skype, use an IDE or even SSH client into his server.

THIS, seriously. Stop imposing stuff, we DON'T WANT to become windows. If that means less security measures, then so be it. I prefer to have control of my own machine rather than give it to some complex, useless shit. If I have to learn how to manage security by myself, then I will do so.

You will always have root and full control of any machine you are running Linux on, this is just ridiculous.

What this discussion is about is sandboxing and restricting user accounts so you aren't immediately pwned by hostile malware.

Well... Yes and no.

It's really not useful to think of OSes in terms of Single User vs Multiuser even if that was the historical separation because while your use case might have you as a single user, there's nothing intrinsic about desktops that makes them single user. Consider for example the case of a family with kids where each member has a user account, The parent's may be the owner and one with an admin account but it's intrinsically a multiuser situation. Also consider a school or business with LDAP or some other directory service running where beyond initial configuration (assuming it doesn't break) the admin doesn't even touch the system anymore and it just goes into the hands of its users. That's a very very multiuser environment. Instead one should really be thinking about it as the separation between Desktop and Server OSes.

Now you are correct that at this point all of the real focus on desktop linux by the major distros has stopped, with the real focus being on the server. Which primarily stems from the fact that the desktop is not profitable, and thus while Red Hat may for example invest money in GNOME developers, Red Hat itself isn't really looking to make a product from it.

This is actually why PC-BSD is very exciting to me, it is primitive and kinda crappy right now in many ways, but it is an actual desktop product, developing actual desktop features that currently do not exist anywhere else in OSS sphere. Which in the long run may end up triggering a shift as desktop features do matter.

GNU/Linux is not a toy OS for hobbyists. It's a serious OS used in a vast majority of phones, embedded devices of all kinds, servers and supercomputers aroud the world.

Since it's Free and open, it also happens to be perfect for hobbyists, but security is not gonna be compromised so that some script kiddies can play around with less security restrictions while thier computer is being infected.

BTW, "learning how to manage security by yourself" will be much more complex than having to deal with a few additional security measures. And if you do learn "how to manage security by yourself", you will then fully understand why those measures are necessary.

I doubt you can prevent much when the user barely knows how to secure their own system. Most people/OSes are compromised by using social engineering... I mean, how many linux sysadmins run scripts directly from the internet? I suggest you read this thread and all the links in it: https://news.ycombinator.com/item?id=10235194

BTW, I am talking about *MY* desktop OS and *MY* security. I didn't even say DON'T put security measures, I said "stop IMPOSING them", and I'm talking about annoying stuff that ends doing more harm than good (that is, to the desktop user), small difference...

Also, LOL @ "GNU/Linux is not a toy OS for hobbyists"... that's exactly what many Linux devs seem to think. Linus himself prefers to keep security measures (read: grsec) out of mainline kernels because "all bugs can be security bugs" and "this patch doesn't fit my taste". Don't bother me with this BS, the kernel itself should have been the first place to start implementing security measures, and not even Red-Hat cares.

Actually Kubuntu appears to be the best linux operating system. if it reduces the instances number it will improves furtherly.

OK but I still want the option to set up a desktop as a single main user. I might want to add secondary users, with their own home folders and reduced permissions, but there is still only one main user and I am sure that applies to a lot of desktop / laptop owners. I don't want to have to pretend to be two users root and me. Its irritating that when I go in as root or use root dolphin for example, I have to repeat the setup that I have done on my own account. It would also be useful to have any user user file permisson. The whole current situation is ridiculous. If you copy files from one system to another, some one else can access them and you can't if you have different user id on the other system.

I always multiboot so I keep my data on a separate partition. Even most of development applications: Java, Eclipse, Scala, gcc, etc are on a separate partition. I don't trust the distros to manage them.