Authorized clients

Jasper St. Pierre jstpierre at mecheye.net
Wed Jan 8 10:47:06 PST 2014 

Yes, the user has to trust that a screenshot app won't start uploading his
porn to the web, just like she also has to trust that it won't give him a
virus.

The new sandboxing technology is a way of making sure the user knows what
the app has access to, and to prevent access to things the user didn't give
it permission to access.

If she installs a screenshot app that requests permissions to take
screenshots and she gives the app those permissions, then she trusts the
app to not abuse those permissions. She also can also trust the OS to
prevent the app from accessing her contacts and telling all her coworkers
about great deals on bread, since she didn't give the app the permission to
access her contacts.

But anyway, this is orthogonal to Wayland. In terms of desktop Linux, we
have one question: can this "application" (likely identified/keyed by a
.desktop) access this privileged operation (taking a screenshot). I just
noticed that this sounded an awful lot like PolicyKit. I think the
compositor can apply this discretion if it knows the app ID that's trying
to access the request. That's an issue for me: how do we tie the
application executable/.desktop file together in an unspoofable manner?

Prompting the user "are you *sure* you really meant to take a screenshot?
Yes/No" when he presses Print Screen is just a way to piss her off.


On Wed, Jan 8, 2014 at 1:28 PM, Martin Peres <martin.peres at free.fr> wrote:

> Le 08/01/2014 15:04, Sebastian Wick a écrit :
>
>  Am 2014-01-08 13:02, schrieb Martin Peres:
>>
>>> On 07/01/2014 20:26, Jasper St. Pierre wrote:
>>>
>>>>
>>>>     Would it be ok for you if the compositor asked the user to agree
>>>>     for the program to
>>>>     do the operation? If so, we can guarantee that this is really the
>>>>     user's intent and
>>>>     allow the application. We can also add a security warning with a
>>>>     "Do not ask again"
>>>>     checkbox. Would it be satisfactory to you?
>>>>
>>>>
>>>> The user opened up a screen recording app. The user's intent is very
>>>> much to record the screen. We don't need to ask the user again with a
>>>> prompt.
>>>>
>>>
>>> How do you make sure it WAS launched by the user and not run silently
>>> by one application?
>>> That's the whole problem.
>>>
>>
>> If the application starts recording the screen without user interaction
>> I would consider it broken.
>>
> Indeed, it would. Be security is never based on what an application SHOULD
> do, it is based on what it CAN do.
>
> So you want to trust every screenshot application? I don't think it is a
> good idea. It is a better one
> than trusting every app, but it still not is very efficient.
>
>
>
> _______________________________________________
> wayland-devel mailing list
> wayland-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/wayland-devel
>



-- 
  Jasper
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/wayland-devel/attachments/20140108/af817f0b/attachment-0001.html>

More information about the wayland-devel mailing list