Slashdot Mirror

← Back to Stories (view on slashdot.org)

Turns Out That Snaps Are Not Secure In Ubuntu With X11 (softpedia.com)

Posted by BeauHD on from the insecurity-about-security dept.

prisoninmate quotes a report from Softpedia: According to Matthew Garrett, a renowned CoreOS security developer, and Linux kernel contributor, Canonical's new snap package format is not secure at all when it is used under X.Org Server (X Window System), which, for now, it is still the default display server of the Ubuntu 16.04 LTS (Xenial Xerus) operating system. The fact of the matter is that X11's old design is well-known for being insecure, and Matthew Garrett took the time to demonstrate this by writing a simple snap package that can steal data from any other X11 software, in this case anything you type on the Mozilla Firefox web browser. As more developers will provide snaps for their apps, Canonical needs to do something about the security of snaps in Ubuntu when using X11 or switch to the Mir display server. In the meantime, the security of snaps remains unaffected for the Ubuntu Server operating system, which is usually used without a display server. Canonical has officially released Ubuntu 16.04 LTS, which is now available to download for those interested.

2 of 133 comments (clear)

  1. Re:slashdot's ubuntu coverage by F.Ultra · · Score: 1, Offtopic

    Well it was downmodded due to being an outright lie. There is no known problem with the MySQL unit file in Ubuntu 16.04 LTS, in fact it's very straight forward as compared with the horrible mess the System V init file for MySQL was.

  2. Re:slashdot's ubuntu coverage by Anonymous Coward · · Score: 0, Offtopic

    Can you please prove to us that it's an "outright lie"? You'll need to provide something substantive, like bug reports clearly indicating that the problems were fixed, with patches that we can review.

    It doesn't matter what software we're talking about. As responsible sysadmins and developers, we have to assume that all bug reports are true until proven otherwise.

    Even if you aren't experiencing problems with your particular setup, somebody else with a different setup may be experiencing them. They aren't "lying" when they report a problem that you aren't experiencing!

    I follow many Linux distro mailing lists, and I've seen a lot of reports of problems with systemd. It doesn't matter if the Linux distro is Fedora-based or Debian-based, a lot of people have had problems with systemd.

    So my instinct is to believe that, when presented with a bug report implicating systemd, that systemd is at fault until proven otherwise. It has been at fault for a lot of other people in many other cases.

    I'm glad that I browse Slashdot at -1. Now I know to be far more cautious than usual when dealing with Ubuntu 16.04 LTS thanks to its use of systemd, even if Slashdot mods want to suppress that info.