[Wayland-bugs] [Bug 101345] Multiple compositor crash and security problem

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Jun 8 12:55:36 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=101345

Daniel Stone <daniel at fooishbar.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |NOTABUG

--- Comment #5 from Daniel Stone <daniel at fooishbar.org> ---
(In reply to Daniele from comment #4)
> If the user can view an application on compositor A but receiving messages
> from compositor B is a security issue.

What is happening is: application A is connected to compositor A. Application B
is connected to compositor B. Application A can send messages _directly_ to
application A, without the need of any compositor.

This is what gnome-terminal (and Chrome, etc) do, the same as they do under
X11. This has nothing to do with Wayland, but the design of the specific client
applications you are trying to use.

> The compositor starts without root privileges and it may be easy to start a
> fake compositor created only to run a keylogger.

If this is true, then you control the environment your applications run in. If
you control the environment your applications run in, then you can trace them
and modify their execution directly: you don't even need to bother running a
separate compositor.

This has nothing to do with Wayland, but you may be interested in things like
SELinux for isolation.

I understand the problems you are describing, but this is really not a security
issue introduced by Wayland. If you would like to have sessions isolated from
each other, then run them as separate users, at which point you will never be
able to connect to the other compositor (thanks to filesystem permissions) no
matter how hard you try.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/wayland-bugs/attachments/20170608/26508da9/attachment.html>

More information about the wayland-bugs mailing list