On Sun, Jul 09, 2017 at 02:07:06PM +0000, Johannes Lundberg wrote: > That code gets the child's pid from the fork command. That's is not > available in my case (Wayland client connects to Wayland server via unix > socket). > I can understand the security issue.. hmm will dig further tomorrow.. It seems like what Wayland wants is not a security feature, but a feature to prevent people from building things that will not work in a future more secure world. In this future world, operations like making a screenshot would be privileged. Even if the PID race is solved, it remains trivial to fake the check (for example, fork a process that sends the initial message and then immediately execs a "privileged" binary, or use ptrace to attach to a "privileged" binary or launch a new copy of a "privileged" binary). With regard to security, it would be equivalent to have the client send the name of its binary to the server. Putting this into a low-level Wayland library would deter people from faking the check to do things that will not work in the future more secure world. I don't know how invasive this would be, though. One possible implementation of the future more secure world would be per-application UIDs a la Android. Another one would be Capsicum-sandboxed applications where applications receive their Wayland sockets pre-connected by code that tells the Wayland server the application identity. -- Jilles TjoelkerReceived on Sun Jul 09 2017 - 19:21:31 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:12 UTC