Professional pentester here - Wayland alone doesn't really do much for you, security wise. It is still very possible for an application simply running under a wayland compositor to do lots of nasty things.
The Wayland protocol provides the building blocks for someone to create an Android-like sandboxed environment, but doing so would break every application. Snaps and Flatpak come closer, but still generally miss the mark, since many applications require your entire home directory to be bind mounted in their container.
Running wayland alone gets you very little in terms of sandboxing. It locks the front door, but leaves the backdoor and all your windows open, because that's what every application under the sun expects.
> Under X11, you are basically running every application with root, always.
This is ... not true, either broadly or generally. You're saying this because Xorg runs as root, which means that any security flaw in Xorg yields root access. I think saying that "you are running every application with root" is stretching it a bit, but I'll accept it.
But Xorg doesn't have to run as root. OpenBSD started it years ago with Xenocara, but AFAIK Fedora also does not run Xorg as root. I'm not sure what other OSes are doing, but it's at least not a flaw of X11 in general, just a flaw of Xorg.
> This is ... not true, either broadly or generally
I’m saying that because if you ever type in your password, e.g. into a screenlocker, into a terminal with sudo, or an apt-get gui, every application can listen to those input events. Every application has the ability to be a keylogger by default. And with that captured password, it then can either inject input events into your terminal, or run sudo itself.
> The Wayland protocol provides the building blocks for someone to create an Android-like sandboxed environment, but doing so would break every application. Snaps and Flatpak come closer, but still generally miss the mark, since many applications require your entire home directory to be bind mounted in their container.
That’s true, but also not. With X11, even a flatpak without any special permissions or bind mounts can still basically control your system. Just listen for input events until you see the keys "s u d o", then listen until you see something that looks like a password, then wait until the user is not paying attention, and inject virtual input events to start a terminal and inject input events to run "sudo rm -rf /*" with the password you captured earlier.
By making the ability to intercept, record, or inject input events a special API, wayland at least allows flatpaks to be sandboxed at all.
Still, assuming a lack of other sandboxing, running a keylogger is pretty trivial. It's not by default, as you put it, but an un-sandboxed application has enough access to your filesystem to perform tomfoolery and get your credentials. At that point, there's no need to start a terminal, you just load some shellcode in whatever process you control, and say goodbye to your data.
As for sandboxing, well, you're right, although one could sandbox X11 if they wanted to. "X-on-X" is actually a thing, rarely used outside developing X, but I could see it being used for seamless sandboxing with some work. Work that, inevitably, no-one will actually do, so there's that ;)
It actually is feasible to sandbox X11 in that way, I believe this is what security-focused distributions like Qubes and Whonix do. But yeah, it is essentially working around the problems with X11 and not really suitable for ordinary use.
To me the real progress needed is that applications need to move to using sandbox-friendly APIs so they don't break when put in the sandbox, and moving to Wayland is a key part of that. Applications built around the X11 idea of always having full access to everything will need changes regardless of what sandboxing solution is in use.
> I’m saying that because if you ever type in your password, e.g. into a screenlocker, into a terminal with sudo, or an apt-get gui, every application can listen to those input events.
And any program can (on a relatively default box) trace arbitrary programs under your gid and scan memory for passwords. The real issue here is that there are very weak process boundaries within a gid (because it is historically most convenient), not necessarily a lot wrong with X11.
> With X11, even a flatpak without any special permissions or bind mounts can still basically control your system. Just listen for input events until you see the keys "s u d o", then listen until you see something that looks like a password, then wait until the user is not paying attention, and inject virtual input events to start a terminal and inject input events to run "sudo rm -rf /*" with the password you captured earlier.
Why such complication? An hostile application can simply add an "evil" line to your .bashrc and you are fucked anyway. No need to keylog anything, nor the fancy stuff that you describe. It doesn't need to be a graphical application, even. The "ls" command can do it!
Flatpak runs applications in what’s nowadays referred to as container: the application can’t see any processes outside the container, can’t access any filesystem except for files you explicitly open with the application, and especially can’t edit your .bashrc.
That’s the point of flatpak. But as long as you use X11, there’s one single privilege escalation path left, and that’s the complicated one I described above.
> Flatpak runs applications in what’s nowadays referred to as container: the application can’t see any processes outside the container, can’t access any filesystem except for files you explicitly open with the application, and especially can’t edit your .bashrc.
That's just false. Flatpak has the ability to restrict access to such resources, but it's completely up to the author of a Flatpak application if they make use of it. Like my file manager and text editor are Flatpaks fetched from flathub.org and both applications have unrestricted access to my whole home directory by default, including my shell configuration -- even the Chromium Flatpak can do that by default.
Edit: I just counted, out of 30 installed Flatpaks from flathub.org 19 have full access to either my whole home directory or the host file system.
That's true, but not really relevant. The point of flatpak is that it can sandbox applications if just the right flag is set, but this sandboxing becomes useless on X11.
Long-term, all applications should strive to be properly sandboxed this way
Of course it is. Someone who read your comment and didn't question it might now believe that Flatpaks would enforce filesystem sandboxing and prevent, say some game, from accessing their shell configuration or ssh keys. That's false and it's dangerous, because nothing is worse from a security perspective than misinformed users who have a false sense of security.
> but this sandboxing becomes useless on X11.
That's also false. For example X11 provides mechanisms like the X11 security extensions which prevent clients from accessing each others data through the X11 protocol (like key events or buffer content), which means when I run my color picker or xev in a such an X11 security context they literally stop working outside of their own window. Firejail makes this type of sandboxing easily accessible and it also provides the ability to easily isolate x11 clients with xpra or xephyr.
So it's not like it can't be done, it's just that Flatpak doesn't care about it -- which is fine. With dbus you get the same issues, because clients on the same bus aren't isolated from each other. In this instance however Flatpak cared and implemented a dbus proxy to isolate clients from each other without throwing dbus away.
> all applications should strive to be properly sandboxed this way
I agree, but definitely not this way! The sandboxing details must be 100% controlled by the user. The people who distribute the application should have no say whatsoever about their required permissions. That's ultimately for the user to decide. From the point of view of the application, all files are visible, but it may be a mock filesystem with mock resources. Letting the application distributors chose the permissions defeats the whole purpose of the sandboxing.
What if I don't trust the person that sent me the flatpack container itself? A truly secure sandboxing should be a standard OS facility, not tied to a package distribution method. The flatpack/snap model is all wrong. I need to run arbitrary hostile applications in a safe manner, not only those that the developers have decided to distribute in a certain form.
Sure, but the flatpak model is a way to get these advantages for as large a userbase as fast as possible. If you use flatpaks without bind-home under wayland today, you’ve significantly improved your actual security already.
Sandboxing arbitrary badly behaving software is just going to use the same APIs as flatpak, so this helps for your use case as well.
All the hand wringing over root privilege escalation on Linux is almost irrelevant for most single-user systems, as since there's really only one non-root account which usually has all the data the user cares about, getting access to just that non-root account would be disaster enough for the user.[1]
So if Wayland's design is standing in the way of doing useful things because they're concerned about root privilege escalation, they've got their priorities mixed up.
[1] - not to mention that once a non-root account is exploited then getting root in some other way, even if Wayland itself can't be exploited, is usually not difficult.
The goal isn’t to prevent escalation to root, but to prevent escalation out of a sandbox.
If you sandbox an application today, while it can’t access the filesystem at all, and nothing under your user account, as long as it can show you a window under X11, it can log, manipulate, and inject any input events or window contents of any other windows as well.
That’s the one single big hole in todays sandboxes under linux, and there’s only two options to solve it: put a whole separate X server into the sandbox of every single application with X-on-X, or replace X. Which is one of the things wayland fixes.
I think the point about root is not so much about whether Xorg is run as root, but rather that any application can then elevate itself as root by listening to the key events to catch your password (for example when unlocking your screen) and then sudo with it.
> You're saying this because Xorg runs as root, which means that any security flaw in Xorg yields root access.
They're saying that because every app under Xorg can do keylogging they're effectively running as root, as any of them can keylog your root password next time you type it in.
The Wayland protocol provides the building blocks for someone to create an Android-like sandboxed environment, but doing so would break every application. Snaps and Flatpak come closer, but still generally miss the mark, since many applications require your entire home directory to be bind mounted in their container.
Running wayland alone gets you very little in terms of sandboxing. It locks the front door, but leaves the backdoor and all your windows open, because that's what every application under the sun expects.
> Under X11, you are basically running every application with root, always.
This is ... not true, either broadly or generally. You're saying this because Xorg runs as root, which means that any security flaw in Xorg yields root access. I think saying that "you are running every application with root" is stretching it a bit, but I'll accept it.
But Xorg doesn't have to run as root. OpenBSD started it years ago with Xenocara, but AFAIK Fedora also does not run Xorg as root. I'm not sure what other OSes are doing, but it's at least not a flaw of X11 in general, just a flaw of Xorg.