Originally posted by kreijack
View Post
Lets for example think about running an application on a remote host, e.g. via ssh -X.
It cannot LD_PRELOAD anything into your local processes, it cannot attach via a debugger, it cannot manipulate files that would lead any of your local processes to let it gain access, it cannot read any data on your system, no matter how unprotected it is.
So, as far as processes are concerned, this is perfect sandboxing of that application.
However, due to its connection to your X server, it has full access to all user generated events, to all screen content, etc.
Even worse, anyone with access to the remote X socket can do that, e.g. the remote system's administrator.
The security of the remote system or lack thereof can compromise yours.
Originally posted by kreijack
View Post
But why go to that trouble if you are handing that process all your input and screen content on a silver platter anyway?
The security benefit of Wayland needs to be guaged in the context of other improvements on the system level.
These would become more or less meaningless being accompanied by respective improvements on the display server side.
So basically enabling ourselves to apply access restrictions that we already have and deploy for non-GUI processes to processes with GUI.
Originally posted by kreijack
View Post
Well, I don't know about you but I for example do not run my user session and all programs in it as root just because that has the highest flexibility as file and device access is concerned.
I explicitly like that fact that applications that need privilegded access need to ask for it or can be granted those via system mechanisms on a permanent basis, but keeping all other random programs from having it.
It isn't a matter what you can do or allow certain programs to do, it is a matter of what they can do by default.
Cheers,
_
Comment