Bug 101345

Summary: Multiple compositor crash and security problem
Product: Wayland Reporter: Daniele <vbextreme>
Component: waylandAssignee: Wayland bug list <wayland-bugs>
Status: RESOLVED NOTABUG QA Contact:
Severity: blocker    
Priority: medium CC: jadahl
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Daniele 2017-06-08 09:45:35 UTC
I use Fedora 25 gnome/wayland and I try to use other compositor, sway, after installation I change session with CTRL+ALT+F3 login and execute sway.
Ok all work Initially I'm happy but after some time whend execute application in sway the application run on gnome.
Then launching an application like gnome terminal or chromium from session 3(sway) the application runs and the window is displayed on gnome. Now if I closing compositor (sway) the application on gnome are closed.
It does not always happen, some time then the applications are started where they should be.
I think it's a serious safety issue.

Today I wanted to investigate and make a video but casually freeze all and I need to force poweroff, after second time I decided to stop for not broken my hard disck.

Wayland's security idea is completely wrong, the only security introduced has been removing features and this is not security.
You have closed your home windows with the bricks and lifted the roof to breathe, this is not protection.

I like new technologies but disappointed return to XORG.

Have a good life
Comment 1 Pekka Paalanen 2017-06-08 10:36:33 UTC
Please provide the value of the environment variables WAYLAND_DISPLAY and XDG_RUNTIME_DIR on each of your simultaneous sessions when you observe application windows showing up on unexpected compositors.

Wayland clients use that variable to choose which compositor to connect to. If the variable is not set, a default address is used.

Do note, that the address is specific to your current user account. If the file permissions on your system are correct, no-one except root will be able to connect to another user's compositor.

If you are running all your separate sessions as the same user, nothing will prevent applications from opening on an arbitrary compositor of the same user.

I do not see any security issue so far.
Comment 2 Jonas Ådahl 2017-06-08 10:44:49 UTC
FWIW, gnome-terminal uses a single client for all terminal windows, and running "gnome-terminal" will just, over D-Bus tell gnome-terminal-daemon to launch another window, and it'll use the Wayland display where it was first launched. So for that particular "issue" that is probably the cause. I suspect chromium works in a similar way.
Comment 3 Daniel Stone 2017-06-08 11:17:20 UTC
(In reply to Jonas Ådahl from comment #2)
> FWIW, gnome-terminal uses a single client for all terminal windows, and
> running "gnome-terminal" will just, over D-Bus tell gnome-terminal-daemon to
> launch another window, and it'll use the Wayland display where it was first
> launched. So for that particular "issue" that is probably the cause. I
> suspect chromium works in a similar way.

It does, and it will print 'Creating new window in existing session' whilst doing so.

This is not a security issue: as a user, you have two processes (gnome-terminal-daemon and the 'gnome-terminal' wrapper binary you are running) which are allowed, per your local security policy, to communicate with each other. This is usually by D-Bus, but can be by UNIX sockets, or even ptrace.

If you want to ensure you cannot access one session from another, I would recommend running as a different user, so your permissions will prevent accessing the compositor socket, so they will not share UNIX sockets in your home directory, and so ptrace will also be cut off.
Comment 4 Daniele 2017-06-08 12:06:52 UTC
If the user can view an application on compositor A but receiving messages from compositor B is a security issue.
The compositor starts without root privileges and it may be easy to start a fake compositor created only to run a keylogger.
I remember that a sway application appeared on the gnome session but responded to the sway session messages.

In the coming days I will try to start multiple compositor on the same session.
Comment 5 Daniel Stone 2017-06-08 12:55:36 UTC
(In reply to Daniele from comment #4)
> If the user can view an application on compositor A but receiving messages
> from compositor B is a security issue.

What is happening is: application A is connected to compositor A. Application B is connected to compositor B. Application A can send messages _directly_ to application A, without the need of any compositor.

This is what gnome-terminal (and Chrome, etc) do, the same as they do under X11. This has nothing to do with Wayland, but the design of the specific client applications you are trying to use.

> The compositor starts without root privileges and it may be easy to start a
> fake compositor created only to run a keylogger.

If this is true, then you control the environment your applications run in. If you control the environment your applications run in, then you can trace them and modify their execution directly: you don't even need to bother running a separate compositor.

This has nothing to do with Wayland, but you may be interested in things like SELinux for isolation.

I understand the problems you are describing, but this is really not a security issue introduced by Wayland. If you would like to have sessions isolated from each other, then run them as separate users, at which point you will never be able to connect to the other compositor (thanks to filesystem permissions) no matter how hard you try.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.