Turns Out That Snaps Are Not Secure In Ubuntu With X11

prisoninmate quotes a report from Softpedia: According to Matthew Garrett, a renowned CoreOS security developer, and Linux kernel contributor, Canonical's new snap package format is not secure at all when it is used under X.Org Server (X Window System), which, for now, it is still the default display server of the Ubuntu 16.04 LTS (Xenial Xerus) operating system. The fact of the matter is that X11's old design is well-known for being insecure, and Matthew Garrett took the time to demonstrate this by writing a simple snap package that can steal data from any other X11 software, in this case anything you type on the Mozilla Firefox web browser. As more developers will provide snaps for their apps, Canonical needs to do something about the security of snaps in Ubuntu when using X11 or switch to the Mir display server. In the meantime, the security of snaps remains unaffected for the Ubuntu Server operating system, which is usually used without a display server. Canonical has officially released Ubuntu 16.04 LTS, which is now available to download for those interested.

Huh? Snaps?

Snaps for apps? What in the fuck

Re: Huh? Snaps?

[Type44Q]

You've been "keeping up" too much; step away from the computer. Just kidding... but you can still step away from the computer. ;)

Re:Huh? Snaps?

[arth1]

Snaps is very useful when dealing with apps.

Re:Huh? Snaps?

[FatdogHaiku]

Where is the standard apps guy comment?
You know, the "only Luddites use snappy apps for apps" stuff?
Was it suppressed by legions of paid {information deleted} trolls?

Re:Huh? Snaps?

YO DAWG, I put SNAPS in yo APPS

Re: Huh? Snaps?

Yo dawg...

Re: Huh? Snaps?

Buttons are safer. Zippers are cool, but hard to implement. Velcro is passé.

So what?

[Ultra64]

A program on a computer can access the data of another program on the same computer?

Why is this supposed to bother me?

Re:So what?

> A program on a computer can access the data of another program on the same computer?

You do everythng as root? Or you still on DOS?

Re:So what?

Like a keylogger does. It can send that data out to another computer outside of it or the network it is on. Use your head. Think.

Re:So what?

Or Ubuntu. Oh Snap!

--sf

Re:So what?

It is totally trivial to install a keylogger on Ubuntu and other linux distros, so the GP has a point.

Re:So what?

[igloo-x]

It is totally trivial to install a keylogger on Ubuntu

Wouldn't it be great if it wasn't, though.

Re:So what?

[serviscope_minor]

Wouldn't it be great if it wasn't, though.

Kind of hard to make it nontrivial though:

sudo dkpg -i ~/Downloads/kernel-keylogger.deb

Re: So what?

[Type44Q]

But it is. If you want real security, you need to run OS X... or better yet, Windows.

Re: So what?

[serviscope_minor]

If you want real security, you need to run OS X... or better yet, Windows.

Not sure if trolling or serious...

Help me out.

Re: So what?

[Type44Q]

If you have to ask... ;)

Re: So what?

[Type44Q]

That right there was, by the way, me politely keeping my ass-cheeks clenched so as to avoid parting your hair with a massive "whoosh" sound. :)

Re: So what?

[serviscope_minor]

If you have to ask... ;)

Yeah, but remember Poe's law...

Re: So what?

[Type44Q]

I may be the smartest dumb person ever; in any case, I had to look that up...

Re:So what?

All you have to do is disable "interposed events".

No keylogging.

Re:So what?

Or Ubuntu. Oh Snap!

--sf

Hello, Queen Latifa. LOL

Re:So what?

[Immerman]

Sure.

As I understand it though, one of the selling points of Snaps is that they are much more sandboxed than traditional packages, so that you don't have to worry about them as much - install keylogger.snap (or whatever), and it can only log keystrokes intentionally sent to it. At least if you're not running X11.

Frankly I think it's a long overdue move, that keyloggers even exist on any platform is evidence that inter-application security has been atrocious for a long time. User based security is nice and all, but is pretty much pointless on a single-user machine.

Re:So what?

User based security on a single user machine is perfectly valid, what we need is to make it more seamless. E.g running your browser as a separate user is perfectly valid, the problem is the lack of transparency in the UI.

Re: So what?

As 'root' (which sudo will give you if you know the credentials), you can do whatever the hell you want on the machine. Including installing keyloggers or anything else.

Sounds like 'snaps' is malware and allows screen grabs -- will not be installing on my boxen.

Re: So what?

[TopherC]

AFAICT, snaps is no worse in this regard than any other packaging system out there: dpkg, rpm, pacman, etc. Am I right? Is all this fuss about the claim of better-but-not-actually-perfect sandboxing? Admittedly there is this gaping hole in X11 security (the way it's implemented in any case), which has been around for decades. But the article makes it sound like snaps are a new kind of bad. I don't think that's true, but hopefully some slashdotter will set me straight.

Re:So what?

[Immerman]

Valid, sure. Just mostly pointless, because how many people actually run their web browser as a different user? Yeah, it makes it much easier to keep malware from tampering with system processes, etc, but that doesn't really gain you much - oh great, the malware can't touch my OS, all it can do is monitor everything I do and access all my personal files. I feel so much safer.

Well, okay, I suppose it's nice that you don't have to worry about things like the old class of viruses where opening an infected file in Word would infect the executable, which would then infect all future files you opened. But that's still like plugging one hole in a sieve.

Personally I would love to see a One Laptop Per Child style per-app, per-functionality permissions system showing up in desktop OSes. Android sort of does it, except then they went and grouped permissions into huge lumps of unrelated permissions, and then only inform you of the required lump permissions, rather than giving you the option to simply deny access. I'm hoping the day will come when it's normal for each application to have an OS-controlled permissions screen with checkboxes beside all the permissions it requests, and app-supplied explanations of what functionality each permission is required for. Lets stop with this all-or-nothing trust model.

Re: So what?

>AFAICT, snaps is no worse in this regard than any other packaging system out there: dpkg, rpm, pacman, etc

It isn't. The question doesn't involve packaging systems, but involves trusting the developer or packager to not sneak in malware when you install their software. You could unpack a tar.gz source archive that you downloaded from a developers website, run make (as ordinary user) and get owned in the same way as MJG's silly snappy package if the developer included an evil makefile. The fact is, despite what the defenders of X11 here are saying about X11 security mechanisms, no distributions actually ship their systems with them turned on because they create a usability headache for ordinary users. They're like any other Linux security mechanism in that they're available, but not used by default in most cases. Capabilities, ACL's, polkit policies beyond distro supplied ones, Apparmor in reporting mode, SELinux (usually disabled by newbies) etc., etc. If they aren't turned on by the distro, then they rarely get turned at all by ordinary desktop users.

Re:So what?

[unrtst]

Valid, sure. Just mostly pointless, because how many people actually run their web browser as a different user?

...

I'm hoping the day will come when it's normal for each application to have an OS-controlled permissions screen with checkboxes beside all the permissions it requests, and app-supplied explanations of what functionality each permission is required for.

Seriously? You think it's too much work to run a browser as a different user, but you think anyone will bother to review every individual permission buried in a per-app config setting, and re-verify on every update?

Re: So what?

The fact is, despite what the defenders of X11 here are saying about X11 security mechanisms, no distributions actually ship their systems with them turned on because they create a usability headache for ordinary users.

The feature is turned on. The Snaps system just has to run the application in such a way that it counts as untrusted. That doesn't need to change how normal programs work in any way.

Re:So what?

[Immerman]

Those who care? Yes. And for the rest you can highlight the most questionable access permissions: network, webcam, non-sandboxed file system, etc. Maybe even include groups of actually related permissions that can be granted/denied en masse for convenience, just allow users to also change them individually when necessary. Heck, you could even have a default profile governing the permissions granted to all applications in the absence of application-specific settings. Then the user only needs to decide if a particular application should get any special treatment.

Why would you re-verify permissions for an update? Updates should default to keeping the same permissions the previous version had, only if it asks for new permissions not previously either granted or denied, do you need to ask the user which of those new permissions to allow.

If you're feeling particularly security conscious you could even add an "ask every time" permission setting - just because I occasionally want to use my webcam through my browser, doesn't mean I want anything that hijacks my browser at any time to have that access.

Re: So what?

[yithar7153]

In all seriousness, if you want security, run ChromeOS. There's a chain of trust that starts from the Trusted Platform Module. Basically Verified Boot makes sure that someone hasn't modified the system code. And then for other applications, they have to run in a sandbox like NaCL or the pepper plugins. NaCl allows ChromeOS to run native code, but it doesn't have direct access to the OS.

Re: So what?

No, it isn't. Use any distro that you like and follow the instructions here:
http://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html

Misleading

This is nothing new. X11 is fundamentally insecure. Yes, another application can send input to your xterm that's su'd to root. Nothing new.

Re:Misleading

[Uecker]

X11 is not fundamentally insecure. In fact, X11 had the security infrastructure to shield clients from each other for a long time. It is just not used and also has been neglected (people did not fix the bugs in applications which I filed - so some applications do not run as untrusted clients). The reason for this is that there was almost no point using it before, because different processes of the same user are not shielded against each other on Linux anyway, so there is nothing gained by doing it at the X level (maybe there is now with containers - although this is the wrong approach: containers are a security nightmare because the duplicate all library code). With respect to clients/processes of the same user, X is fundamentally much more secure than Linux has ever been - because at least in principle it had the infrastructure to protect clients from each other (although rudimentary and neglected).

Re:Misleading

[mattventura]

Surely it couldn't be that hard to fix. As I understand it, the only reason to let applications grab events from other applications is to allow global hotkeys to be implemented. If that's the case, then don't send alphanumeric keys to other applications, unless accompanied with a modifier other than Shift or AltGr.

Re:Misleading

Yeah, actually X11 is unsecure. Just because there's some complicated security mechanism available to secure it doesn't mean shit if not enabled by default because it interferes with the usability of the system. You see all the time on mailing lists and forums new Fedora users looking to disable SELinux because they can't do what they want to do with their systems. It's like ACL's and capabilities in the linux kernel. The security measures are present, but no one uses them outside of a server context.

Re:Misleading

[Uecker]

The security mechanism isn't complicated at all. In fact, it is probably too simply. I explained why it is not used: because processes of the same user can already spy and manipulate each other anyway.

Re:Misleading

Tell me, how does an ordinary desktop user enable it?

Re:Misleading

One way would be to use 'ssh -X localhost'. (Note, however, that some distros enable the 'ForwardX11Trusted' option in the system ssh configuration, which makes 'ssh -X' act like 'ssh -Y', so you would also have to turn that option off.)

Re:Misleading

Ding ding ding.

The real issue here is that the Gnome-ists got hung up on using straight OpenGL to accelerate the drawing of their DE, turning X into a "dumb" canvas for them to draw on.

You see this with Compiz and later that basically plonked a massive window across the screen, and then used OpenGL to draw inside it to produce the windows etc.

So with Wayland they go one step further, punt X out of the way completely.

What they don't say is that this will bring a whole host of restrictions of what you can do with your desktop in the process.

Because now your WM/DE is completely in charge, where before X had a say in how things were done.

Expect there to be a clash of DE's, with Gnome getting the weight of RH behind it, PDQ.

slashdot's ubuntu coverage

So first we get a "hey, the new ubuntu is due tomorrow" story, then a "new ubuntu released" story, and now this "hey, the new ubuntu is not secure" story.

Can we tone down the ubuntu stories a little bit?

But my submission about the Firebird SQL database version 3.0's release, arguably the most important release in their 14-year history, didn't make it. (it's here, by the way)

Re:slashdot's ubuntu coverage

Oh, there's a second submission in the queue. Let's go fix this oversight now. We haven't had a single developer-related article in a looooong while. (Seriously. Try browsing developers.slashdot.org and tell me how many stories are on-topic.)

https://slashdot.org/submission/5791389/firebird-30-is-released

[Oh, and please don't mod ACs like us off-topic. It's difficult enough to get visibility as a +0 AC already. Thanks!]

Re:slashdot's ubuntu coverage

[Quzak]

You are right, too many Ubuntu stories. We need to go back to the Apple vs FBI Mortal Kombat stories!

Re:slashdot's ubuntu coverage

What's even worse than the poor choice of submission selection is the censoring that has gone on in the Ubuntu stories. For example, I saw one comment reporting a possible problem with the systemd unit files for MySQL. As a potential Ubuntu and MySQL user, it's important for me to know about possible problems such as that one. Yet that comment was modded down. Even worse than that, somebody (or somebodies) went through and systematically modded down many of the replies to that comment, too!

This release of Ubuntu is an LTS release. Some of us could potentially be using it until 2021. If somebody is having problems with a critical part of this release, then it's important to get the word out. We shouldn't have abusive Slashdot moderators suppressing information that could potentially save people a lot of time. If there are problems with systemd and MySQL in Ubuntu, then we need to know about them.

Re:slashdot's ubuntu coverage

[F.Ultra]

Well it was downmodded due to being an outright lie. There is no known problem with the MySQL unit file in Ubuntu 16.04 LTS, in fact it's very straight forward as compared with the horrible mess the System V init file for MySQL was.

Re:slashdot's ubuntu coverage

Apparently, somebody didn't know how to write one...

They are quite simple.

Re:slashdot's ubuntu coverage

But who in this age of interwebs knows how to write a shell script? It's not Rust nor JSON, so it's not hip. Who's gonna learn something as unhip as sh?

Re:slashdot's ubuntu coverage

Can you please prove to us that it's an "outright lie"? You'll need to provide something substantive, like bug reports clearly indicating that the problems were fixed, with patches that we can review.

It doesn't matter what software we're talking about. As responsible sysadmins and developers, we have to assume that all bug reports are true until proven otherwise.

Even if you aren't experiencing problems with your particular setup, somebody else with a different setup may be experiencing them. They aren't "lying" when they report a problem that you aren't experiencing!

I follow many Linux distro mailing lists, and I've seen a lot of reports of problems with systemd. It doesn't matter if the Linux distro is Fedora-based or Debian-based, a lot of people have had problems with systemd.

So my instinct is to believe that, when presented with a bug report implicating systemd, that systemd is at fault until proven otherwise. It has been at fault for a lot of other people in many other cases.

I'm glad that I browse Slashdot at -1. Now I know to be far more cautious than usual when dealing with Ubuntu 16.04 LTS thanks to its use of systemd, even if Slashdot mods want to suppress that info.

Re:slashdot's ubuntu coverage

[Oh, and please don't mod ACs like us off-topic. It's difficult enough to get visibility as a +0 AC already. Thanks!]

Thanks for listening, Mr Mod!

Re:slashdot's ubuntu coverage

[jedidiah]

WHY would the init script for MySQL need to be a mess? Just what is it doing that's terribly complex or the least bit subtle?

Neither variant should be that interesting actually...

Re: slashdot's ubuntu coverage

Why is he modded down? This is absurd. Systemd shills are out in full force today.

I see nothing wrong with the above post. He is asking serious questions.

The problem is, the systemd trolls don't want us to see this info. Because it just shows how incompetent they really are. The truth will come to light.

Re:slashdot's ubuntu coverage

[F.Ultra]

Because System V init does not do process monitoring and service restart upon crash the MySQL people decided to write their own work around using shell scripts, this is why you can see a mysqld_safe process running as well as the regular mysqld on non systemd systems. mysqld_safe is a 1117 line bash script and /etc/init.d/mysql (the System V init script for MySQL) is a further 197 lines of bash:

root@sql:~# wc /usr/bin/mysqld_safe
1117 4059 31801 /usr/bin/mysqld_safe
root@sql:~# wc /etc/init.d/mysql
197 777 5742 /etc/init.d/mysql

Since this monitoring is done by a bash script it's not always 100% safe, I have on several occasions encountered situations where a "service mysql stop" returned with OK but that the mysqld_safe process refused to die, noticed that mysql where stopped and restarted it behind the scenes resulting in upgrades going to complete shit among other things.

Since all that shit is now instead handled properly by systemd due to i.e control groups the unit file for MySQL is extremely simply and straightforward:

# MySQL systemd service file

[Unit]
Description=MySQL Community Server
After=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=mysql
Group=mysql
PermissionsStartOnly=true
ExecStartPre=/usr/share/mysql/mysql-systemd-start pre
ExecStart=/usr/sbin/mysqld
ExecStartPost=/usr/share/mysql/mysql-systemd-start post
TimeoutSec=600
Restart=on-failure
RuntimeDirectory=mysqld
RuntimeDirectoryMode=755

No more mysqld_safe siliness and also everything down to a 20 line unit file that is a hell of a lot easier to parse manually than the old init scripts.

So I do hope that people will now see that the AC:s that keep posting these lies are in fact just lying trolls, not a single one of them have ever read the MySQL unit file and not a single one of them have ever run MySQL on a distribution using systemd.

Re:slashdot's ubuntu coverage

[F.Ultra]

There are no bug reports where the "problem" with MySQL where fixed because there never where any bug reports that there where any problems in the first place. And this is because there is no problem with the MySQL unit file, and there never was, you just fell for a troll that have posted the same thread of posts to each Linux related article in the latest weeks.

Re:slashdot's ubuntu coverage

Because System V init does not do process monitoring and service restart upon crash the MySQL people decided to write their own work around using shell scripts, this is why you can see a mysqld_safe process running as well as the regular mysqld on non systemd systems. mysqld_safe is a 1117 line bash script and /etc/init.d/mysql (the System V init script for MySQL) is a further 197 lines of bash:

...You'd wish they'd spend the effort on fixing their server-crash bugs rather than working around them with a lengthy script.

Ah well, happily MySQL-free here since 2007 or so.

Re:slashdot's ubuntu coverage

[F.Ultra]

Sorry to rain on your parade but all database servers have this feature. PostgreSQL uses a master provess that restarts the backend processes if they crash. Microsoft SQL Server have a SQL Server Agent that does the very same thing and so on.

Re: slashdot's ubuntu coverage

[i.kazmi]

I definitely do not like Systemd but there is absolutely nothing wrong with MySql unit files in Ubuntu (typing this on Kubuntu 15.10 with Kubuntu 16.04 running in a vm under virtual box, both the guest and the host have the complete LAMP stack running)...that user was either trolling or had no idea what they were talking about and were rightly buried.

good for them.

i never caught on to the whole docker container/snap package thing anyways. since when did it get so hard to set things up by yourself? also, if your package manager sucks balls, then you need to find a new distro. stop putting up with crap.

Re:good for them.

i never caught on to the whole docker container/snap package thing anyways. since when did it get so hard to set things up by yourself? also, if your package manager sucks balls, then you need to find a new distro. stop putting up with crap.

Containers are great for deploying a standard environment instead of the end-users natively installing and configuring various applications. I use containers extensively in data science.

Better summary

[isj]

"snaps" is a new package format for applications on Ubuntu. It is basically a package with dependencies, bundled together and meant for running in a container (docker or lxc I suppose?) which means that the OS is protected from it.

However, since the application has access to X11 window server it has access to the facilities in it including monitoring keystrokes and mouse gestures sent to other X11 applications. So essentially a "snaps" can be a trojan keylogger.

The article/blog does _not_ explore if X11's "untrusted client" feature would help.

Re: Better summary

The article/blog does _not_ explore if X11's "untrusted client" feature would help.

IIRC the X.org geniuses removed that. But what do you expect when you let people who hate the software develop it?

Re:Better summary

[serviscope_minor]

The article/blog does _not_ explore if X11's "untrusted client" feature would help.

I did, well, using SSH's one and yes it does help just fine.

To repeat:

xevilteddy does not work if you treat it as an untrusted client.

The fault is with snaps for not marking them as untrusted, not with X11 for allowing trusted clients. In other news, if you run a compositor as trusted then that too can grab all keystrokes. In other other news if you treat the Wayland compositor as trusted it can grab keystrokes too.

Trusted clients can do trusted shit. This is not especially exciting. It is good to know that ubuntu aren't treating snaps as untrusted though. That's bad, but it's the fault of snaps, not the fact that X treats them as trusted when told to.

Re:Better summary

[markdavis]

+1 THANK YOU. Yet another unfounded attack on X11 to push an agenda. An agenda to push something that isn't necessarily better.

Re: Better summary

[Type44Q]

...to push an agenda. An agenda to push something that isn't necessarily better.

Well said.

Re:Better summary

So, the vulnerability is entirely X11

Re:Better summary

The article/blog does _not_ explore if X11's "untrusted client" feature would help.

I did, well, using SSH's one and yes it does help just fine.

To repeat:

xevilteddy does not work if you treat it as an untrusted client.

The fault is with snaps for not marking them as untrusted, not with X11 for allowing trusted clients. In other news, if you run a compositor as trusted then that too can grab all keystrokes. In other other news if you treat the Wayland compositor as trusted it can grab keystrokes too.

Trusted clients can do trusted shit. This is not especially exciting. It is good to know that ubuntu aren't treating snaps as untrusted though. That's bad, but it's the fault of snaps, not the fact that X treats them as trusted when told to.

Anything that connects to the display (and keyboard and mouse or other SHARED input/output device by implication) needs to be trusted.

That's true in Windows and Linux and Unix and IBM mainframes and on and on.

Oh, and it'll be JUST AS FUCKING TRUE ON WAYLAND - THAT BENIGHTED SOLUTION IN SEARCH OF A PROBLEM.

Re:Better summary

[rastos1]

The fault is with snaps for not marking them as untrusted, ..

This is unknown ground for me, so I have to ask: how can the client be marked as trusted/untrusted? (I assume that this is not something specific to snaps)

Re:Better summary

[serviscope_minor]

No, it's a general thing with program security. You can mark programs as trusted or untrusted using a variety of mechanisms.

For example, you can run programs as root (very truseted as they get access to everything), as a normal user (moderately trusted: they can't muck up the whole machine, but they can muck up the user), as a guest user (same, but there's nothing much to muck up) and the using various things like cgroups/jails to sandbox it further.

X has a mechanism to say a client is untrusted in which case it's not allowed to mess with windows that it doesn't own. Trusted clients can mess with each other's windows.

Re:Better summary

[Roadmaster]

False, snaps are not "meant for running in a container". Isolation (both from other snaps and to keep control over which devices and resources it can access) is achieved via other mechanisms, such as apparmor restrictions. Also, the entire snap is packaged as a squashfs, and all snaps are simply mounted read-only, so they can't modify each other's (or even their own) packaged files.

Snaps also have access to a per-snap writable directory for user and runtime data, but again, they can't even see other snaps' writable dir.

Re:Better summary

[rastos1]

X has a mechanism to say a client is untrusted in which case it's not allowed to mess with windows that it doesn't own. Trusted clients can mess with each other's windows.

Can you be more specific? What is this mechanism? Is this about something like having access to X magic cookie stored in ~/.Xauthority? Environment variable? Can I mark /usr/bin/firefox as untrusted, but /usr/bin/xterm as trusted?

Re:Better summary

[serviscope_minor]

Can you be more specific?

X SECURITY extension. The simplest way to access it is to forward X over SSH with the untrusted setting, but that simply sets up the server mechanism.

Re:Better summary

Can you be more specific?

X SECURITY extension. The simplest way to access it is to forward X over SSH with the untrusted setting, but that simply sets up the server mechanism.

THAT is the simplest way to access X securely, by running remote code??

There's an awful lot of X11 defenders here, so tell the rest of us why the secure option isn't on by default please.

Re:Better summary

[serviscope_minor]

THAT is the simplest way to access X securely, by running remote code??

It's the simplest method in that it's 1 line. You can also ssh to 127.0.0.1 which is not terribly remote as these things go.

There's an awful lot of X11 defenders here, so tell the rest of us why the secure option isn't on by default please.

Same reason that most userland programs aren't by default run in a filesystem and syscall sandbox.

Re:Better summary

[ilsaloving]

Is this a fundamental problem with the packaging system, or because the package creator didn't set the appropriate options? Would it be solved by having snap have a default setting of untrusted?

Re:Better summary

[isj]

THAT is the simplest way to access X securely, by running remote code??

It's a one-liner by using SSH to localhost.

The "correct way" is a bit more cumbersome: Use 'xauth' to generate an authorization key with the "untrusted" flag, then tell the untrusted program to use that authorization key with the XAUTHORITY environment variable.

Re: Better summary

Is there a particular tutorial or something else to set this up?

I've used X over SSH for remote access before, so I'm well aware of the options in ssh_config and the ForwardX11Trusted option. But how do I "easily" start applications using ssh in my local machine? Do I need to forward every application? Or just the window manager? That's where it gets fuzzy for me, I have experience with these options, but I'm not an expert or even intermediate user.

How would we go about doing it "the right way"? I've never used xauth before and got a little confused. Is it just a matter of running "$ xauth generate :0 ." as the man page suggests?

Re: Better summary

$ xauth -f .Xauthority-untrusted generate :0 . untrusted
$ XAUTHORITY=.Xauthority-untrusted xterm

Re: Better summary

[rastos1]

$ xauth -f .Xauthority-untrusted generate :0 . untrusted
$ XAUTHORITY=.Xauthority-untrusted xterm

Very interesting. Thank you. It fails on my system with

xauth: (argv):1: couldn't query Security extension on display ":0"

but I'll certainly investigate further. I guess that can be just my distro.

Re:Better summary

[rastos1]

It seems that is not going to work :-( See this post:

Untrusted X11 forwarding was meant to be a way to allow logins to unknown or insecure systems. It generates a cookie with xauth and uses the Security extension to limit what the remote client is allowed to do. But this is widely considered to be not useful, because the Security extension uses an arbitrary and limited access control policy, which results in a lot of applications not working correctly and what is really a false sense of security. This is true even today; I rebuilt XWin with Security enabled and 'ssh -X' into my linux VM, and got BadAccess errors from *any* GTK2 program. More on this subject:

http://www.openssh.com/faq.html#3.13
http://www.nsa.gov/selinuX/papers/x11/x93.html

Given the limited usefulness of untrusted X11 forwarding, *upstream* has disabled it by default in favour of other security models.

Btw, since the extension is disabled/not present the ssh -X falls back to ssh -Y (untrusted forwarding) on most systems.

Re:Better summary

[benjymouse]

Anything that connects to the display (and keyboard and mouse or other SHARED input/output device by implication) needs to be trusted.

That's true in Windows and Linux and Unix and IBM mainframes and on and on.

Oh, and it'll be JUST AS FUCKING TRUE ON WAYLAND - THAT BENIGHTED SOLUTION IN SEARCH OF A PROBLEM.

Guess they'll have to reinvent User Interface Privilege Isolation. Don't hold your breath, though.

Re:Better summary

[serviscope_minor]

Btw, since the extension is disabled/not present the ssh -X falls back to ssh -Y (untrusted forwarding) on most systems.

Huh interesting. I'm on stock ubuntu 14.04 and my tests showed it prevented xevilteddy from working. I'm not surprised though about GTK, it generally abuses the X protocol quite badly, and gets lots of things wrong. For example GTK programs frequently crash if I restart the system tray program. Skype never does and if you're doing worse than Skype, you fucked up badly!

Re:Better summary

[columbus]

Guys, I think you're getting the intent of the story wrong. It's not an X11 security problem. It's primarily a PR problem for Ubuntu & secondarily, it's a security problem for snaps.

Ubuntu has been promoting snaps as a more secure way of packaging
https://insights.ubuntu.com/20...

And the research that Matthew Garret has done has demonstrated that the security provided by the snaps framework is not terribly good. So that's a PR problem for Ubuntu if one of the primary features they are advertising is demonstrated not to be fit for purpose. Personally I don't think that Ubuntu cares much about the security aspect of snaps. I think they care more about convenience and monetary gain. And I don't have a problem with either of those motivations.

in.re. convenience: The apt package management system has many benefits, but it has problems with software development projects that run at different cadences. Remember when Ubuntu 8.04 LTS shipped with Firfox 3 beta? The apt system would lock you into the beta version for the life of the release. With snaps, you could upgrade just one application (like Firefox or Libre Office) without upgrading all of the libraries on your OS or upgrading your OS as a whole. I think that's pretty useful.

in.re. monetary gain: Canonical has poured a lot of effort and money into Linux over the course of a decade. I wouldn't mind seeing them reap the rewards of their efforts in a monetary form. It looks like they want to run an AppStore to do this & an app-store just won't integrate well with apt. But it will with snaps. So good on them.

I would just like them to be a bit more open about their motivations. I don't think the release of snaps has much to do with a desire for security, at least in a desktop environment.

Re:Better summary

Links 404. Citation needed on "false sense of security". It's true that some clients don't behave properly when running untrusted, but that is a usability problem, not per se a security problem.

By the way, it is not the case nowadays that all GTK+ 2.x programs will crash when running untrusted. (That may have been true 7 years ago, but bugs do sometimes get fixed.) They're slow (probably due to the lack of RENDER) but they do work.

I would agree that if 'ssh -X' silently falls back to -Y when the server doesn't support SECURITY, that is a bug in ssh, and *that* could potentially give a false sense of security. That is not a flaw in X, however.

Re:Better summary

There's an awful lot of X11 defenders here, so tell the rest of us why the secure option isn't on by default please.

1. Because many, many X programs were written before that extension existed, and don't behave quite right when running in "untrusted" mode.

2. Because untrusted mode also disables extensions such as MIT-SHM and RENDER, meaning that even properly-written applications will be noticeably slower in that mode.

3. Because some applications require hardware-accelerated video decoding or 3D rendering, and video cards simply aren't designed to make that possible in a sane and secure way.

4. Because everybody runs some number of programs (window managers, screensavers, accessibility tools...) that really need full "trusted" access.

Basically, this is a useful feature which has never been fully developed because there hasn't been a great deal of demand for it. (As others have noted, it's quite useless unless combined with *other* sandboxing mechanisms to prevent programs reading one another's data.) Maybe Ubuntu can push things in the right direction.

Re:Better summary

Another trick is nested X sessions.

Only issue there is that you can't resize a X session on the fly...

Re:Better summary

[rastos1]

Links 404.

Re: links - I just quoted the post. And yes it is from 2008.

So much for Open SORES

"All those eyes on the code" didn't help here or on Google Chrome's Open SORES code used to make malware out of it http://it.slashdot.org/story/15/10/20/1254225/efast-malware-hijacks-browser-with-chrome-clone

Re:So much for Open SORES

For free software the project can be integrated through distro maintainers and some auditing can go on. At least compiling and testing a more reduced set of versions by a bigger community of users.
I think snap is mostly to make life easier for proprietary application distributors, so they can hide any secrets, avoid integration and maintainers and still get access to users.
So I don't understand why you are taking on open source ?

Re: So much for Open SORES

[Type44Q]

Don't feed the shills so nicely and politely; it works better if you cram the shit down their throats with the equivalent of the butt-end of an iron-banded oaken staff.

woah, just a minute

[dominux]

If you have some software in a deb, and put that software in a snap, then you have increased your security slightly, but not much. If that software is then put on a Wayland or Mir desktop then you have increased the isolation of it a lot.
If your software is in a .deb then you ran it's installation script as root. If it was bad then you are toast already.
Snaps can be installed without being root, into the user home directory. This is an increased level of ability to run untrustworthy software. This whole exercise is so that open source systems can run untrustworthy proprietary paid for apps without the untrustworthy apps being a huge risk to the peer-reviewed code and other proprietary apps.
Snaps are *not* a step backwards, but they don't get all the way to the end goal by themselves. They may have been over-sold slightly by Canonical because they are mainly for the phone which runs Mir, plus things like Firefox on the desktop which are trustworthy.

Re:woah, just a minute

[Lumpy]

I have been able to run standard apps in user land forever, this is NOT something new. you can easily compile and run an app in the restricted user directory as an X11 app and it cant go digging through the rest of the system.

the hostile app can trash the user directly or try and fake them into giving it escalated privileges but absolutely anything that can display something on the screen or have read/write to the users directory can do that.

Re:woah, just a minute

[dominux]

naturally, but this is about the packaging. If you install a deb with sudo then you are running executable code that lives inside the deb with root privileges. With snap installation there is no postinst script or anything that runs as root as part of the install. You might run the snap installer as root, and that might process some commands in the snap, but it isn't running arbitrary code as root I think.

Re:woah, just a minute

[Lumpy]

With a statically compiled binary there is nothing to install. a single file that when launched does everything it needs and has everything it needs, eliminating the dependency hell that linux still suffers badly from.

Honestly I still don't see any real reason for these.

Re:woah, just a minute

[Uecker]

I always wanted a "secure deb" format which does not run maintainer scripts and only allows files to be installed in certain directories. Together with reproducible builds this could solve this problem. Containers are not great it terms of security because you risk having all the duplicated libraries. There are reasons people invented advanced packaging formats and those reasons do not simply go away now containers are the new hype...

Re:woah, just a minute

[Uecker]

I agree. Containers essentially have the same properties of statically compiled binaries. The reason they exist is that you can just put existing stuff in there easily without having to refactor. There are just another rotation of the wheel of software complexity (you nicely separate stuff, then you add a lots of interfaces because things need to interact, then you end up having a mess so you create another higher level of separation, etc.)

Re:woah, just a minute

[thegarbz]

Sorry but not in the slightest. If you don't have root access to the system you can only compile and run an app in the restricted user directory if you have the explicit blessing of a sys-admin who has done all the wonderful pre-work of ensuring you have all necessary libraries available for you. Beyond that you're SOL.

Re:woah, just a minute

[Uecker]

You can always set up a local chroot environment with all necessary dependencies. Sounds difficult? For stuff which is properly packaged, there are fully automatic systems which do this for you... No root required.

Re:woah, just a minute

[thegarbz]

Sounds difficult?

... we're talking about installing a frigging program. If you can't double click the damn thing and call it a day then yes, definitely too difficult.

http://howfuckedismydatabase.c...

Re:woah, just a minute

[Uecker]

I answered to your claim that you need a sysadmin to locally install software. This is not true. I am not sure if somebody made it double-clickable for idiots, but it would be easy to do without inventing a new package format.

Re:woah, just a minute

You can also dump a LGPL lib into a container and claim it is still dynamically linked...

Re:woah, just a minute

[Uecker]

Good point.

Not quite that simple.

[serviscope_minor]

Does XEvilTeddy still work over an SSH connection with ssh -X instead of ssh -Y? If not, then the problem is rather easily solvable, and the means to solve it have been there for years.

Let me check...

git clone configure make autoconf apt-get install blah blah oh wow a separate package for xtest wow you managed to save posivily kilobytes for the 0 people who would install x11-dev but not xtest-dev blah blah make oh ffs it needs to be installed this is annoying. Oh hey didn't check your code paths, build build blah

DONE!

OK...

ssh 127.0.0.1 -o 'ForwardX11Trusted no'

aaaand...

Oh look it doesn't work.

So no, X11 is, yet again not fundementally broken. It has a "default allow" policy, but mechanisms have existed for decades to add security to it. The main failing for ubuntu was not enabling the long-established security protections.

Re:Not quite that simple.

Since you already did the hard work of compiling it, could you verify the security extension also works properly without ssh:

$ xauth -f .Xauthority-untrusted generate :0 . untrusted
$ XAUTHORITY=.Xauthority-untrusted xevilteddy

Thanks :-)

Re:Not quite that simple.

[serviscope_minor]

Ah thanks, that was the incantation I was looking for.

Re:Not quite that simple.

[HelpTheNewOverlord]

Wouldn't it be a problem If xevilteddy simply changed the environment? Or launched another process without this environment variable?

Re:Not quite that simple.

[Foresto]

Wouldn't it be a problem If xevilteddy simply changed the environment? Or launched another process without this environment variable?

If I understand xauth correctly, the answer is yes, assuming xevilteddy could find another file containing trusted xauthority credentials. (For example, the original .Xauthority file.) I suggest isolating xevilteddy in a container (LXC), and not putting the trusted credentials in that container.

Re:Not quite that simple.

[serviscope_minor]

Wouldn't it be a problem If xevilteddy simply changed the environment? Or launched another process without this environment variable?

No, because this is about snaps, which are containerised and sandboxed. It would have to exploit another hole to break out of the container and get at the trusted .xauthority file.

Re:Not quite that simple.

[Foresto]

Also keep in mind that having an untrusted cookie in an .Xauthority file won't restrict an application that has full display access via xhost, as they do by default on distributions like Ubuntu.

The OS will be protected from it anyway...

[Viol8]

...so long as its not running as root. That is kind of the whole point of OS's with user priviledge levels, file system permissions and protected virtual memory. Thats not what containers are for. I could explain but just go google FFS.

Is snaps secure with anything?

[Lumpy]

Honestly this sounds like Snaps in general are horribly insecure on their own.

Re: Is snaps secure with anything?

[Type44Q]

Is Snap another more of Lennart's scat that he seems to be dropping all over the place?

Re: Is snaps secure with anything?

Is Snap another more of Lennart's scat that he seems to be dropping all over the place?

So, Snap-scat?

Re:Is snaps secure with anything?

xdg-app will suffer the same fate until Wayland is rolled out.

I don't see the big deal

[LichtSpektren]

If you run Ubuntu Server, you're not using X.org. If you're running Ubuntu 16.04 on the desktop, you're probably not using any snap packages (except maybe Firefox). By the time desktop applications start to be packaged in snappy form, Ubuntu will be using Mir as the display server instead of X.org.

Re:I don't see the big deal

[C3lt]

By the time desktop applications start to be packaged in snappy form, Ubuntu will be using Mir as the display server instead of X.org.

Why do you believe this to be true? 16.04 doesn't use Mir and is an LTS, people will be using it for years, and it is not even guaranteed yet that 16.10 will use Mir by default.

Re:I don't see the big deal

[LichtSpektren]

Since, as you said, 16.04 is LTS, that means that the .DEB packages which are in place now aren't going anywhere. The only packages that currently exist in Snappy Core are enterprise server things.

Re:I don't see the big deal

You can run Mir and Unity8 now in 16.04 as a "Preview" desktop.

Re:I don't see the big deal

[thegarbz]

If you run Ubuntu Server, you're not using X.org.

Oh that's news to me, given you can add Xorg just like any other package. Why the assumption that every Ubuntu server doesn't have a GUI? There's even manual pages specifically for Ubuntu Server dedicated to telling you the *various* ways you can install Xorg on an Ubuntu server and comes with a nice list of packages that help administer servers via a GUI, and that Xorg and associated libraries get the same length of support in the LTS release as the other packages do.

Re:I don't see the big deal

[C3lt]

Since, as you said, 16.04 is LTS, that means that the .DEB packages which are in place now aren't going anywhere. The only packages that currently exist in Snappy Core are enterprise server things.

I don't understand the relevance of your comment. 16.04 supports Snaps, uses X by default, and will be around long enough that snaps will be available for people to download and use within its lifetime, right? If that statement is true, then there is a security risk.

Except Mir == Wayland

And Wayland does the same thing.

Not to mention the simple fact probably the #1 question for Ubuntu Server is "How do I install a GUI?"

Re:Except Mir == Wayland

[LichtSpektren]

And Wayland does the same thing.

Not to mention the simple fact probably the #1 question for Ubuntu Server is "How do I install a GUI?"

I don't think you know what you're talking about.

Except Mir == Wayland

[mpapet]

And Wayland has the same feature... No, bug... No, feature!! IT'S INSECURE AAAAAHHHHH!

That's part of why they're developing Mir

So it's an issue that's being addressed, and snaps do provide security for non-graphical apps. It's unfortunate that it's being implied that the security benefits are more universal than they are but it's a subtle point that is difficult to emphasize. When trying to promote a new release, you want to emphasie the new features, not the subtle non-features.

Make a simple keylogger in X using Gnome Terminal!

Here's how!
Start gnome-terminal
$ xinput list
  Virtual core pointer                                id=2    [master pointer  (3)]
   Virtual core XTEST pointer                  id=4    [slave  pointer  (2)]
   VirtualBox mouse integration                id=9    [slave  pointer  (2)]
    ImExPS/2 Generic Explorer Mouse      id=11 [slave  pointer  (2)]
Virtual core keyboard                               id=3    [master keyboard (2)]
    Virtual core XTEST keyboard                 id=5    [slave  keyboard (3)]
    Power Button                                        id=6    [slave  keyboard (3)]
    Sleep Button                                        id=7    [slave  keyboard (3)]
    Video Bus                                           id=8    [slave  keyboard (3)]
    AT Translated Set 2 keyboard                id=10 [slave  keyboard (3)]

Find the id of the keyboard (10 in this case)
$ xinput test 10
open another gnome-terminal
$ sudo ls
[sudo] password for AC:<password>
Watch the scancodes in the first terminal. OMG there's ur password! (for brevity just listing keypress)
key press   39
key press   30
key press   40
key press   32
key press   65
key press   46
key press   39
key press   36
key press   58
key press   44
key press   42
key press   14
key press   18
key press   33
key press   30
key press   28
key press   52

Open a gui app as root
Type something
OMG there's muh typing!

There you have it, your very own keylogger. It works on all systems with X11 because by default nobody locks it down.

Even Better Summary

[Luthair]

Snaps are Ubuntu's desperate attempt to be trendy and cool like those new kids with the phones and tablets.

Re:Even Better Summary

[xtronics]

I think they created them for M$ - and the new WinBuntu mess. (Likely an attempt to start milking software patents - government involvement? - they are a cartel. )

The big point is using them will reduce the polish rate of software. When every package uses the different lib versions - software that depends on lib bugs don't get fixed. And the libs don't get updated - resulting in less secure systems etc.

We don't really want bugs that depend on other bugs -- snap will reduce the long term quality of code.

When doing development - there are times to use a newer lib for testing - there are already ways of doing this in the Debian world.

Someone please help me with this

[Sloppy]

X11 programs can see other programs' events. That's even true if I install the program from a .deb or a tarball, no? So WTF does this problem have to do with a package format?

(Oh, and if calling me ignorant/lazy or saying LMGTFY helps you explain it, fine. I'll take your assholiness as long as you have answers.)

Re:Someone please help me with this

X11 programs can see other programs' events. That's even true if I install the program from a .deb or a tarball, no? So WTF does this problem have to do with a package format?

(Oh, and if calling me ignorant/lazy or saying LMGTFY helps you explain it, fine. I'll take your assholiness as long as you have answers.)

It doesn't. gnome's xdg-app will suffer the same problem when it is ever deployed on non-Wayland desktop. The is just the usual MJG modus operandi whenever Ubuntu gets any positive press. He has to find something to shit on about it. It's because of the butthurt he suffered when he was BTFO's from Ubuntu.

Re:Someone please help me with this

[serviscope_minor]

X11 programs can see other programs' events.

By default, yes, but not if they're not authorised.

That's even true if I install the program from a .deb or a tarball, no?

Yes, certainly.

So WTF does this problem have to do with a package format?

Well, the packages are supposed to be for sandboxed stuff, as far as I can tell, so you can run them without risking compromising your machine. It's a pretty poor sandbox if it blithely gives X11 access to the programs at the most trusted level, as opposed to running them in an untrusted mode.

Oh, and if calling me ignorant/lazy or saying LMGTFY helps you explain it, fine. I'll take your assholiness as long as you have answers.

Well, since you presupposed that I would say it, I may as well live up to your expectations so go google it yourself you lazy/ignorant person. Frankly at this point I don'e even care what you google.

Well

I blame systend

Awwww snaaaaaap!

[Lisandro]

Seriously, i don't know what motivates Canonical to reinvent the package manager.

Re:Awwww snaaaaaap!

[Foresto]

I think Ubuntu Touch motivated this.

Re:Awwww snaaaaaap!

[Lisandro]

Oh, a mobile OS! That is sure to end up well!