New paths for Wayland sockets (Re: Enabling Android-style per application user ids)
Jan Engelhardt
jengelh at inai.de
Fri Nov 3 08:38:46 UTC 2017
On Friday 2017-11-03 08:33, Pekka Paalanen wrote:
>> > >
>> > > wl_display_connect() always attempts to contact a server socket living at
>> > > ${XDG_RUNTIME_DIR}/${WAYLAND_DISPLAY}.
>
>> > Modifying the meaning of WAYLAND_DISPLAY environment variable to
>> > support also absolute paths has been proposed before IIRC. Maybe
>> > resurrecting that work could be a way forward? Can anyone see a problem
>> > with that?
>>
>> This would definitely work, so I don't object if this is the preference of
>> other reviewers. I would prefer (for the reasons coming below) the
>> /run/wayland/$WAYLAND_DISPLAY suggestion though.
>>
>> One note about this: this would contain a subtle change in behavior to
>> existing users of $WAYLAND_DISPLAY. If somebody sets
>> WAYLAND_DISPLAY="/wayland-0" currently, this works okay. The concatenation
>> logic in wl_display_connect() results in a string
>> "/run/user/<uid>//wayland-0", which is valid despite the duplicate '/'. If
>> $WAYLAND_DISPLAY is now examined for absolute-pathiness, the logic would
>> probably see "/wayland-0" as an absolute path reference, and the connection
>> attempt would fail.
So, for comparison, the X11 DISPLAY variable is an abstract identifier only.
libX11 checks that $DISPLAY matches /^:[0-9]+$/ and rejects attempts to use
e.g. "/../"-kind of injection attacks.
And I would think that the intent of WAYLAND_DISPLAY was very similar in that
its creators saw it as an identifier rather than a path component. (It
certainly has that _ring_ to it, given its proximity to X11's "DISPLAY" name.)
As such, WAYLAND_DISPLAY maybe should be hardened to reject any '/',
and consequently, a new variable ("WAYLAND_SOCKET"?) be introduced that,
if set, 1. overrides WAYLAND_DISPLAY, 2. decidedly allows path specs
to the desired effect so as to use /run/wayland/wayland-N.
Summary of (individual) proposals follows.
>- modify WAYLAND_DISPLAY to support absolute paths which overrides
> any search paths
- introduce new WAYLAND_SOCKET
- modify WAYLAND_DISPLAY to reject '/'
>- when the current socket search fails, add one more place to look
> in: /run/wayland/$WAYLAND_DISPLAY with the default "wayland-0" if
> WAYLAND_DISPLAY is not set.
- WAYLAND_SOCKET always overrides WAYLAND_DISPLAY
- at most, automatic fallback if only if both WAYLAND_SOCKET and
WAYLAND_DISPLAY are unset
More information about the wayland-devel
mailing list