Authorized clients

Sebastian Wick sebastian at sebastianwick.net
Wed Jan 8 08:20:00 PST 2014 

Am 2014-01-07 15:07, schrieb Martin Peres:
> Those are extremely rare cases. Users wanting to do that should agree
> they give up
> confidentiality and should thus be administrators in order to tell the
> compositor that.

Why should those people have worse security then others only because
they want a feature you define as non-standard?

> In this case, we can still restrict access to the interface to a
> handful of programs
> to lower the risks, but it will still be possible for these
> applications to spy on the user
> without him knowing and this is something that shouldn't be allowed by 
> default.

Like I said, we should be able to let polkit decide. You could even 
distribute
a .rules file which white-lists an application if we pass the executable 
path.

> You may be right. I meant for screen grabbing (images or videos), no 
> idea
> what restricted interface could be useful for a wayland compositor.
> 
> Any idea?

The GNOME accessibility team need a few restricted protocols. Don't know 
about
the details, though.

> Would it be ok for you if the compositor asked the user to agree for
> the program to
> do the operation? If so, we can guarantee that this is really the
> user's intent and
> allow the application. We can also add a security warning with a "Do
> not ask again"
> checkbox. Would it be satisfactory to you?

If an application has the permission to use an restricted protocol it 
already
met all the requirements. You should talk to the polkit dev if you want 
such
an feature, I guess.

> I don't really like mandating compositors to implement that much code,
> but that's the only
> secure way I see to allow the uses cases you want to allow.

And that's exactly why I don't want to implement the authorization 
checking
in the compositor! We can safely let polkit decide in non-obvious cases.
Less code in the compositor, less duplicated code and less security 
risks
because polkit is designed to do that.

> By the way, I asked Peter about the security of input and that should
> be good. We then
> discussed about visual feedback as a mean to provide some mitigation 
> and show
> some applications are grabbing the screen in the background. That may
> be something you
> would be interested in, in your case. What do you think?

I'm personally not interested in it but I guess it's a nice feature for 
some
people and I don't see why it should not work.

More information about the wayland-devel mailing list