RE: Re: Summary of the security discussions around Wayland and privileged clients

2014-02-27 Thread Dodier-Lazaro, Steve
​> Hi Steve, thanks for the thoughtful response. > > PAM's technical implementation allows a number of modules to be tried in > order for authentication. Your API, as a PAM authentication module, is > limited to four operations: ask the user a non-secret question (with a > textual response), ask th

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-27 Thread Martin Peres
On 27/02/2014 18:01, Jasper St. Pierre wrote: On Wed, Feb 26, 2014 at 10:02 PM, Sebastian Wick mailto:sebast...@sebastianwick.net>> wrote: Hey Jasper, maybe I didn't understand what you're saying but why can't you use the application authorization mechanism you're talking about in

Re: Re: Summary of the security discussions around Wayland and privileged clients

2014-02-27 Thread Jasper St. Pierre
Hi Steve, thanks for the thoughtful response. On Thu, Feb 27, 2014 at 3:27 PM, Dodier-Lazaro, Steve < s.dodier-lazaro...@ucl.ac.uk> wrote: > Hello Jasper, > > A quick reply on some of your emails (grouped to avoid spamming the ML). > > > My experience with PAM and similar "pluggable security mod

RE: Re: Summary of the security discussions around Wayland and privileged clients

2014-02-27 Thread Dodier-Lazaro, Steve
Hello Jasper, A quick reply on some of your emails (grouped to avoid spamming the ML). > My experience with PAM and similar "pluggable security modules" is that > they provide a subpar user experience, are hard to integrate properly into > the system, and have large pain points that stem from ha

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-27 Thread Jasper St. Pierre
On Wed, Feb 26, 2014 at 10:02 PM, Sebastian Wick < sebast...@sebastianwick.net> wrote: > Hey Jasper, > > maybe I didn't understand what you're saying but why can't you use the > application authorization mechanism you're talking about in a "WSM"? > Wouldn't it make sense to make it independent of

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-26 Thread Sebastian Wick
Hey Jasper, maybe I didn't understand what you're saying but why can't you use the application authorization mechanism you're talking about in a "WSM"? Wouldn't it make sense to make it independent of the compositor? Am 2014-02-26 23:05, schrieb Jasper St. Pierre: Hi Martin, My experience w

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-26 Thread Jasper St. Pierre
Hi Martin, My experience with PAM and similar "pluggable security modules" is that they provide a subpar user experience, are hard to integrate properly into the system, and have large pain points that stem from having such flexibility. My compositor, mutter, will probably never call out to your

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-26 Thread Martin Peres
Le 19/02/2014 17:11, Martin Peres a écrit : Wayland Security Modules As seen earlier, granting access to a restricted interface or not depends on the context of the client (how it was launched, previous actions). The expected behaviour should be defined by a security policy. As no conse

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-20 Thread Thiago Macieira
Em qui 20 fev 2014, às 14:34:39, Bill Spitzak escreveu: > This makes it impossible for a privileged client to distribute it's > privledges to more than one subprocess, or to both itself and a subprocess. I think it's fine. That's hardly a common scenario. To allow distribution of security setting

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-20 Thread Bill Spitzak
This makes it impossible for a privileged client to distribute it's privledges to more than one subprocess, or to both itself and a subprocess. That is why I would prefer an "id" approach, which I still think would be a good way for parent processes to send objects to children, even if it is n

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-20 Thread Jason Ekstrand
On Thu, Feb 20, 2014 at 2:41 PM, Thiago Macieira wrote: > Em qui 20 fev 2014, às 21:31:59, Martin Peres escreveu: > > > Now, the privileged process wants to launch a sub-process. How will the > > > sub- process connect to the compositor? Remember: WAYLAND_SOCKET > contains > > > a file descriptor

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-20 Thread Thiago Macieira
Em qui 20 fev 2014, às 21:31:59, Martin Peres escreveu: > > Now, the privileged process wants to launch a sub-process. How will the > > sub- process connect to the compositor? Remember: WAYLAND_SOCKET contains > > a file descriptor number that isn't available to the child process. > > Ah, I see. Y

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-20 Thread Martin Peres
Le 20/02/2014 21:26, Thiago Macieira a écrit : Em qui 20 fev 2014, às 19:56:08, Martin Peres escreveu: Le 20/02/2014 18:42, Thiago Macieira a écrit : Unless you meant that the WAYLAND_SOCKET variable can contain a file descriptor number. Is that the case? In that case, how should the privileged

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-20 Thread Thiago Macieira
Em qui 20 fev 2014, às 19:56:08, Martin Peres escreveu: > Le 20/02/2014 18:42, Thiago Macieira a écrit : > > Unless you meant that the WAYLAND_SOCKET variable can contain a file > > descriptor number. Is that the case? In that case, how should the > > privileged process clear the environment to all

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-20 Thread Martin Peres
Le 20/02/2014 20:43, Sebastian Wick a écrit : Am 2014-02-20 20:02, schrieb Martin Peres: Le 20/02/2014 13:04, Pekka Paalanen a écrit : snip It can be done, but with a little more effort than implied here. Binding to an interace means wl_registry.bind request, and failing that is always a fatal

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-20 Thread Sebastian Wick
Am 2014-02-20 20:02, schrieb Martin Peres: Le 20/02/2014 13:04, Pekka Paalanen a écrit : snip It can be done, but with a little more effort than implied here. Binding to an interace means wl_registry.bind request, and failing that is always a fatal error, which terminates the client connectio

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-20 Thread Martin Peres
Le 20/02/2014 13:04, Pekka Paalanen a écrit : On Wed, 19 Feb 2014 17:11:03 +0100 Martin Peres wrote: Hi Guys, Following to the giant and impossible to read "Authorized clients" thread, I said I would take the time and write everything we talked about down, for convenience and to check I took

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-20 Thread Martin Peres
Le 20/02/2014 18:42, Thiago Macieira a écrit : Unless you meant that the WAYLAND_SOCKET variable can contain a file descriptor number. Is that the case? In that case, how should the privileged process clear the environment to allow child processes to be launched? Yes, it takes an FD as a paramete

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-20 Thread Thiago Macieira
Em qui 20 fev 2014, às 14:04:42, Pekka Paalanen escreveu: > FWIW, Weston already does track its children by pid also, so that it > can respawn them as needed if they e.g. crash. Some compositors may take advantage of an external process launcher & babysitter, like systemd --user. > > A simpler a

Re: Summary of the security discussions around Wayland and privileged clients

2014-02-20 Thread Pekka Paalanen
On Wed, 19 Feb 2014 17:11:03 +0100 Martin Peres wrote: > Hi Guys, > > Following to the giant and impossible to read "Authorized clients" > thread, I said I would take the time and write everything we talked > about down, for convenience and to check I took everyone's idea and > needs into acc

Summary of the security discussions around Wayland and privileged clients

2014-02-19 Thread Martin Peres
Hi Guys, Following to the giant and impossible to read "Authorized clients" thread, I said I would take the time and write everything we talked about down, for convenience and to check I took everyone's idea and needs into account. I published the whole article on my blog [1] but I also want