Originally posted by mSparks
View Post
sudo su firefoxuser
firefox
firefox
Redone for wayland following
Code:
setfacl -m firefoxuser:r-x -$XDG_RUNTIME_DIR setfacl -m firefoxuser:rwx -- $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY setfacl -m firefoxuser:rw -- $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY.lock sudo -E su -whitelist-environment=WAYLAND_DISPLAY,XDG_RUNTIME_DIR firefoxuser firefox
Originally posted by mSparks
View Post
Hopefully one day it will not matter if you are using Wayland or X11 what user can access your display server will be enforced by POSIX ACL as in the OS kernel.
Do note posix ACL have been on Linux/BSD/Unix system for over 20 years now. It was over 10 years point mSparks was quoting. User asking Wayland compoistor default to be world wide writable of course the answer should be no this is insecure. Having socket world wide writable has been proven insecure by X11 CVE history of bugs that worked before the server interpreted can successfully disconnect the socket.
mSparks if not safe to have server side interpreted permissions what do you do. That right what wayland does start up locked down and force the user to use the host OS permissions to open the socket up. With ACL the socket can be opened up 1 user at a time.
Security design moves on X11 security design is stuck pre POSIX ACL and I am trying with a bug I have opened to bring it up to date.
Comment