Slashdot Mirror

← Back to Stories (view on slashdot.org)

Turns Out That Snaps Are Not Secure In Ubuntu With X11 (softpedia.com)

Posted by BeauHD on from the insecurity-about-security dept.

prisoninmate quotes a report from Softpedia: According to Matthew Garrett, a renowned CoreOS security developer, and Linux kernel contributor, Canonical's new snap package format is not secure at all when it is used under X.Org Server (X Window System), which, for now, it is still the default display server of the Ubuntu 16.04 LTS (Xenial Xerus) operating system. The fact of the matter is that X11's old design is well-known for being insecure, and Matthew Garrett took the time to demonstrate this by writing a simple snap package that can steal data from any other X11 software, in this case anything you type on the Mozilla Firefox web browser. As more developers will provide snaps for their apps, Canonical needs to do something about the security of snaps in Ubuntu when using X11 or switch to the Mir display server. In the meantime, the security of snaps remains unaffected for the Ubuntu Server operating system, which is usually used without a display server. Canonical has officially released Ubuntu 16.04 LTS, which is now available to download for those interested.

7 of 133 comments (clear)

  1. Huh? Snaps? by Anonymous Coward · · Score: 3, Insightful

    Snaps for apps? What in the fuck

  2. woah, just a minute by dominux · · Score: 4, Insightful

    If you have some software in a deb, and put that software in a snap, then you have increased your security slightly, but not much. If that software is then put on a Wayland or Mir desktop then you have increased the isolation of it a lot.
    If your software is in a .deb then you ran it's installation script as root. If it was bad then you are toast already.
    Snaps can be installed without being root, into the user home directory. This is an increased level of ability to run untrustworthy software. This whole exercise is so that open source systems can run untrustworthy proprietary paid for apps without the untrustworthy apps being a huge risk to the peer-reviewed code and other proprietary apps.
    Snaps are *not* a step backwards, but they don't get all the way to the end goal by themselves. They may have been over-sold slightly by Canonical because they are mainly for the phone which runs Mir, plus things like Firefox on the desktop which are trustworthy.

  3. Re:So what? by Anonymous Coward · · Score: 0, Insightful

    Like a keylogger does. It can send that data out to another computer outside of it or the network it is on. Use your head. Think.

  4. Not quite that simple. by serviscope_minor · · Score: 5, Insightful

    Does XEvilTeddy still work over an SSH connection with ssh -X instead of ssh -Y? If not, then the problem is rather easily solvable, and the means to solve it have been there for years.

    Let me check...

    git clone configure make autoconf apt-get install blah blah oh wow a separate package for xtest wow you managed to save posivily kilobytes for the 0 people who would install x11-dev but not xtest-dev blah blah make oh ffs it needs to be installed this is annoying. Oh hey didn't check your code paths, build build blah

    DONE!

    OK...

    ssh 127.0.0.1 -o 'ForwardX11Trusted no'

    aaaand...

    Oh look it doesn't work.

    So no, X11 is, yet again not fundementally broken. It has a "default allow" policy, but mechanisms have existed for decades to add security to it. The main failing for ubuntu was not enabling the long-established security protections.

    --
    SJW n. One who posts facts.
  5. Re:Better summary by serviscope_minor · · Score: 5, Insightful

    The article/blog does _not_ explore if X11's "untrusted client" feature would help.

    I did, well, using SSH's one and yes it does help just fine.

    To repeat:

    xevilteddy does not work if you treat it as an untrusted client.

    The fault is with snaps for not marking them as untrusted, not with X11 for allowing trusted clients. In other news, if you run a compositor as trusted then that too can grab all keystrokes. In other other news if you treat the Wayland compositor as trusted it can grab keystrokes too.

    Trusted clients can do trusted shit. This is not especially exciting. It is good to know that ubuntu aren't treating snaps as untrusted though. That's bad, but it's the fault of snaps, not the fact that X treats them as trusted when told to.

    --
    SJW n. One who posts facts.
  6. Re:Better summary by markdavis · · Score: 4, Insightful

    +1 THANK YOU. Yet another unfounded attack on X11 to push an agenda. An agenda to push something that isn't necessarily better.

  7. Re:I don't see the big deal by C3lt · · Score: 3, Insightful

    By the time desktop applications start to be packaged in snappy form, Ubuntu will be using Mir as the display server instead of X.org.

    Why do you believe this to be true? 16.04 doesn't use Mir and is an LTS, people will be using it for years, and it is not even guaranteed yet that 16.10 will use Mir by default.