<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jan 7, 2014 at 9:07 AM, Martin Peres <span dir="ltr"><<a href="mailto:martin.peres@free.fr" target="_blank">martin.peres@free.fr</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Le 07/01/2014 01:45, Sebastian Wick a écrit :<div class="im"><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Am 2014-01-06 19:33, schrieb Martin Peres:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Le 06/01/2014 19:10, Sebastian Wick a écrit :<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Am 2014-01-06 16:05, schrieb Martin Peres:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
As I said before, I think trusting applications is taking the problem<br>
the wrong way.<br>
<br>
What we want is that a screenshot can only happen when the *user* wants it.<br>
This is why I think it is the desktop shell's job to launch the<br>
screenshot app when<br>
required by the user. In this case, even if the user can select the application<br>
that can perform a screen shot and even if a malicious application changes<br>
the default setting, it won't be able to perform screenshots silently.<br>
This is what<br>
we want.<br>
</blockquote>
<br>
It's just not flexible enough. What if you want to autostart a screen-reader?<br>
</blockquote>
<br>
Please provide a better example, this one doesn't make sense. Who<br>
would want that?<br>
And if they do want that, they should press a button on their keyboard<br>
to do just that.<br>
</blockquote>
<br>
Taking a screenshot from the command line with delay, recording the desktop as<br>
soon as a program starts. Making screenshots at a specific times.<br>
There are some valid cases you can't even think of until someone wants it.<br>
</blockquote>
<br></div>
Those are extremely rare cases. Users wanting to do that should agree they give up<br>
confidentiality and should thus be administrators in order to tell the compositor that.<br>
<br>
In this case, we can still restrict access to the interface to a handful of programs<br>
to lower the risks, but it will still be possible for these applications to spy on the user<br>
without him knowing and this is something that shouldn't be allowed by default.<br>
<br>
Is it something that would be satisfactory to you?<div><div class="h5"><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
My proposal is that it should require a physical key pressing to be<br>
able to get ONE<br>
screenshot means we also require a secure input method and can attest the origin<br>
of the key stroke but what else can be do? Of course, you should also allow key<br>
strokes from the on-screen keyboard, but this application should be launched<br>
by the compositor and should be trusted anyway. I should talk to Peter<br>
Hutterer about<br>
input security/origin.<br>
</blockquote>
<br>
Like I said, I think it's too inflexible.<br>
</blockquote>
<br>
Please, share a list of valid use cases :) I already gave reasons why<br>
I think not doing what<br>
I proposed almost means no confidentiality on the application's buffers.<br>
<br>
Of course, it could be mitigated by making the screen flash or<br>
something when a screenshot<br>
is taken but people just hate that and some would even fail to notice it.<br>
<br>
What you want is allowing apps to grab the screen whenever you want.<br>
Allowing that should<br>
mean you have root/admin access. A global configuration file could<br>
disable the screenshooting<br>
security, but that should be a conscious choice of the administrator<br>
(for whatever weird reason<br>
they want to be able to grab the screen).<br>
<br>
However, I re-iterate, this is something stupid security-wise for very<br>
little benefit. Why don't you<br>
want to associate a physical event to start the recording process?<br>
</blockquote>
<br>
I just don't agree that a restricted protocol is only useful if the user<br>
interacts with it.<br>
</blockquote>
<br></div></div>
You may be right. I meant for screen grabbing (images or videos), no idea<br>
what restricted interface could be useful for a wayland compositor.<br>
<br>
Any idea?<div class="im"><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
That also means that we need a protocol to tell the compositor to start a<br>
program with a new socket and a protocol to ask the compositor for permission.<br>
</blockquote>
<br>
Why do you want to create so many protocols? The compositor simply has to create<br>
a new connection to itself, mark this connection as being allowed to<br>
do one screenshot,<br>
then fork. The child should then exec the wanted process. The new<br>
process will simply<br>
access the already-opened fd and communicate with the server with it<br>
(yes, some FDs<br>
from the parent can still exist in the child process, after the exec).<br>
<br>
That should be the way for privileged application to communicate with<br>
the compositor.<br>
No authentication protocol needed, the compositor is responsible for doing<br>
the authentication the way it pleases him.<br>
</blockquote>
<br>
You're right about the authentication protocol but there must be a way to tell the<br>
compositor to start an application without having a key-binding or such a thing.<br>
When a client uses the protocol, the compositor would then do what you described.<br>
</blockquote>
<br></div>
Would it be ok for you if the compositor asked the user to agree for the program to<br>
do the operation? If so, we can guarantee that this is really the user's intent and<br>
allow the application. We can also add a security warning with a "Do not ask again"<br>
checkbox. Would it be satisfactory to you?<br></blockquote><div><br></div><div>The user opened up a screen recording app. The user's intent is very much to record the screen. We don't need to ask the user again with a prompt.<br>
</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I don't really like mandating compositors to implement that much code, but that's the only<br>
secure way I see to allow the uses cases you want to allow.<br>
<br>
By the way, I asked Peter about the security of input and that should be good. We then<br>
discussed about visual feedback as a mean to provide some mitigation and show<br>
some applications are grabbing the screen in the background. That may be something you<br>
would be interested in, in your case. What do you think?<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Polkit should be flexible enough to allow a protocol based on how a program<br>
was started. You could configure polkit that if the compositor started a program<br>
because of a key-binding it has permission to use a protocol and stuff like that.<br>
</blockquote>
<br>
I haven't studied polkit, I don't know.<br>
</blockquote>
<br>
I'm going to ask someone who knows more about polkit but from what I understand we<br>
can pass arguments to polkit rules.<br>
We don't even have to argue about if only clients started by a user action get<br>
permission because we can simply pass to polkit if the client was started by a user<br>
action and let polkit decide.<br>
</blockquote>
<br></div>
Great, please report back!<div class="HOEnZb"><div class="h5"><br>
<br>
______________________________<u></u>_________________<br>
wayland-devel mailing list<br>
<a href="mailto:wayland-devel@lists.freedesktop.org" target="_blank">wayland-devel@lists.<u></u>freedesktop.org</a><br>
<a href="http://lists.freedesktop.org/mailman/listinfo/wayland-devel" target="_blank">http://lists.freedesktop.org/<u></u>mailman/listinfo/wayland-devel</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br> Jasper<br>
</div></div>