Turns Out That Snaps Are Not Secure In Ubuntu With X11

prisoninmate quotes a report from Softpedia: According to Matthew Garrett, a renowned CoreOS security developer, and Linux kernel contributor, Canonical's new snap package format is not secure at all when it is used under X.Org Server (X Window System), which, for now, it is still the default display server of the Ubuntu 16.04 LTS (Xenial Xerus) operating system. The fact of the matter is that X11's old design is well-known for being insecure, and Matthew Garrett took the time to demonstrate this by writing a simple snap package that can steal data from any other X11 software, in this case anything you type on the Mozilla Firefox web browser. As more developers will provide snaps for their apps, Canonical needs to do something about the security of snaps in Ubuntu when using X11 or switch to the Mir display server. In the meantime, the security of snaps remains unaffected for the Ubuntu Server operating system, which is usually used without a display server. Canonical has officially released Ubuntu 16.04 LTS, which is now available to download for those interested.

Better summary

[isj]

"snaps" is a new package format for applications on Ubuntu. It is basically a package with dependencies, bundled together and meant for running in a container (docker or lxc I suppose?) which means that the OS is protected from it.

However, since the application has access to X11 window server it has access to the facilities in it including monitoring keystrokes and mouse gestures sent to other X11 applications. So essentially a "snaps" can be a trojan keylogger.

The article/blog does _not_ explore if X11's "untrusted client" feature would help.

Re:Better summary

[serviscope_minor]

No, it's a general thing with program security. You can mark programs as trusted or untrusted using a variety of mechanisms.

For example, you can run programs as root (very truseted as they get access to everything), as a normal user (moderately trusted: they can't muck up the whole machine, but they can muck up the user), as a guest user (same, but there's nothing much to muck up) and the using various things like cgroups/jails to sandbox it further.

X has a mechanism to say a client is untrusted in which case it's not allowed to mess with windows that it doesn't own. Trusted clients can mess with each other's windows.

I don't see the big deal

[LichtSpektren]

If you run Ubuntu Server, you're not using X.org. If you're running Ubuntu 16.04 on the desktop, you're probably not using any snap packages (except maybe Firefox). By the time desktop applications start to be packaged in snappy form, Ubuntu will be using Mir as the display server instead of X.org.

Re:Misleading

[Uecker]

X11 is not fundamentally insecure. In fact, X11 had the security infrastructure to shield clients from each other for a long time. It is just not used and also has been neglected (people did not fix the bugs in applications which I filed - so some applications do not run as untrusted clients). The reason for this is that there was almost no point using it before, because different processes of the same user are not shielded against each other on Linux anyway, so there is nothing gained by doing it at the X level (maybe there is now with containers - although this is the wrong approach: containers are a security nightmare because the duplicate all library code). With respect to clients/processes of the same user, X is fundamentally much more secure than Linux has ever been - because at least in principle it had the infrastructure to protect clients from each other (although rudimentary and neglected).