Isn't the article's title misleading? It made me think that the new snap format is introducing an additional security risk, when what's really the case is that snap on Ubuntu desktop fails to provide any additional security over other packaging formats when the packaged binary uses X11 because the latter is insecure by default in certain ways (the example given is key logging, not sure if there's other ways).
I understand that some important Ubuntu person made a claim that Ubuntu's Snap is improving security, and that it's reasonable to counter that and state when and how it does not justify that claim, but choosing a non-misleading and somewhat click-bait-y title would still be appreciated. (At least when posting it to HN.)
Indeed, or any other case where the application is granted permission to do something sensitive (camera?) and abuses that trust. Even in those cases, though, it is an improvement to know the access exists, and to have control over it.
> The security mechanisms in snap packages allow us to open up the platform for much faster iteration across all of our flavours as snap applications are isolated from the rest of the system. Users can install a snap without having to worry whether it will have an impact on their other apps or their system. Similarly, developers have a much better handle on the update cycle as they can decide to bundle specific versions of a library with their app. Transactional updates make deployments of snap packages more robust and reliable.
> By bringing snap packages to Ubuntu 16.04 LTS we are unifying the experience for Ubuntu developers, whether they are creating software for PC, Server, Mobile, and IoT Devices. Snapcraft, a tool available for snap development, makes it easy for developers to package their apps and dependencies. Developers targeting snap packages get a great environment to write and test their applications – directly on their desktop, rather than being forced to use a device or a virtual machine.
I think it is just a poorly worded announcement that implied security isolation on Ubuntu 16.04 LTS when that was not the intention.
Similarly, they are just as secure as apt so there is no loss of security so the claim of the OP's title is misleading.
(the example given is key logging, not sure if there's other ways)
You can get mouse events besides keystroke events, grab windows including the root window (screenshots), you can send keystrokes to other applications.
tl;dr assume no isolation between any X11 applications. Typing in your credentials in some terminal? You should trust all other X11 applications that are currently running, including the browser that runs untrusted programs all the time.
(There is a workaround: start applications in separate Xephyr sessions.)
Anything that encourages users to be more cavalier about installing software because they think they're protected is a security risk.
So if you want to lob accusations of inaccurate or misleading claims, better to aim them at Canonical, who are pitching this as a security panacea when it's anything but.
I think the author latched on to a PR piece from 16.04 release. Yeah that has the word security in it a few times.
But X11 was there before and installing random packages on your Desktop (or piping stuff from curl to a root bash, etc) is not secure. That is not controversial, I'd think.
> Matthew Garrett, a [...] security developer at CoreOS.
There might be a slight conflict of interest here. Although I am all for exposing security threats and issues regardless, Ubuntu has been advertising LXD, Juju and such technologies which somewhat compete with CoreOS, so I can understand why they'd want to move quickly to discredit it.
The whole adorable teddy bear thing is a bit childish perhaps. "Oh look how evil the new Ubuntu is, it lets evil teddy bears eat your data".
But X11 was there before and installing random packages on your Desktop (or piping stuff from curl to a root bash, etc) is not secure. That is not controversial, I'd think.
The point that canonical is trying to push that installing random packages is more secure with snap/snappy because they are sandboxed (to some extend). However, as Matthew Garrett points out, this sandboxing is practically useless as long as you are running on X11, since a sandboxed program can send keystrokes to other applications, grab keystrokes, do window grabs, etc. So it still has as much control as unsandboxed applications as long as they are running in a normal X11 session.
He is right to call them out on this.
There might be a slight conflict of interest here.
Since he is actually stating (known) facts about X11's security model, I don't see the problem.
> is more secure with snap/snappy because they are sandboxed (to some extend).
In a press release. Yes it is more secure but when running on a desktop with X11 will have same issues as before with X11.
Imagine a press release for 16.04 that all of the sudden starts going into details about X11 vulnerabilities. Who does that?
I am can see refuting a white-paper where Ubuntu makes detailed claims about security guarantees under certain threat models but this seems like a cheap shot to me.
Moreover under this model you can shoot down any product. "Tor provides privacy" -- "Ah no it doesn't, here are more details". "The new JDK is faster than the old" -- "Wrong! Here is a benchmark where it shows it is slower". And so on.
He has also had an axe to grind vs Canonical for some time now (i think it started before he moved to work for CoreOS) over their requirements for working on projects under their control.
Its not more or less of a security risk as any other binary that you download from anywhere (or pipe into bash from curl for that matter).
Yes, it's sold as being more secure than other solutions, when it in-fact isn't, but the headline still is clickbait because if Snap is a security risk then everything else is too.
I came here to say just that. It also _does_ increase security if X isn't used by the application in the snap (i.e. if the X11 or unity7 interfaces aren't requested).
>Yes, it's sold as being more secure than other solutions, when it in-fact isn't,
It's entirely possible for SNAP to be 'more secure than other solutions' while still exposing users to one specific risk. There's no need for perfection in order to be able to rightly claim 'more secure'.
I see at https://developer.ubuntu.com/en/snappy/guides/security/ that snap applications default to run in jails. I really hope this becomes the exception because sooner or later that would deny me to do something that I want to do. Just imagine the file manager in a jail and the text editor in another one. Even the browser shouldn't be completely isolated by the rest of the system. I want to do something with the files I download, right? Or imagine Gimp being able to read and write only to ~/gimp instead of into any of the directories of my projects.
TL;DR: I don't want to end up with an iOS on my desktop.
However I understand that sometimes, in ways I can't figure now, I could want to run programs in a jail. Maybe games? The music player? Skype?
But the big security risk IMHO is that vulnerable libraries are not updated into every single snap I have. The unmaintained app will break the security of all the system.
A not pleasant consequence of snaps is that we'll have to download upgrades for every single snap whenever a popular .so gets updated. It's going to be hundreds of MB instead of a few kB. This on top of the extra space required by all those jailed apps. I better have to hurry up and buy a very large SSD.
Its what you will get, because the big boys in the Linux distro world is aiming for aunt Tillie and office drones.
These days, if you want to do your thing with your Linux install there are perhaps two big names. Gentoo and Slackware. Beyond that you get a smattering of smaller distros on shoestring maintenance.
Sadly much of the upstream is under control of previously mentioned big boys, and they seem to have a crusade going where only their approach matters.
This is a bad title along with a bad article. Either the author has no idea what a package manager is supposed to do, or its intentionally clickbait. Really disappointing.
The security mechanisms in snap packages allow for much faster iteration [across all versions of Ubuntu] and Ubuntu derivatives, as [snap applications are isolated from the rest of the system].
Canonical is selling snake oil here when it comes to the desktop. snap applications are not isolated, because they still have full access to any other X11 application due to X11s security model. Garret is right on calling them out on this.
Compare this e.g. to OS X where there is both sandboxing (as in the application cannot touch other parts of the filesystem, unless you explicitly allow it to) and GUI isolation (applications cannot read events sent to other applications, unless it's an accessibility application and explicitly enabled by the user).
You have to be looking for faults in the language to be concerned over something like this. I know everyone isn't the biggest fan of canonical, and there are good reasons why that is. But they aren't trying to mislead anyone here. You can't possibly try to fault Canonical for X11's "security problem".
I don't know enough about either platform to respond to your OSX comparison. But if the concern is that they don't isolate enough then you are entitled to that opinion. But overall this is an improvement in this regard (whether or not its an improvement to the overall package management system is open to interpretation).
Ubuntu is actively working on a solution to this problem with Mir. Is CoreOS contributing to Wayland or Mir? If not, perhaps they shouldn't be throwing stones.
@dang: Can we point this to the source article: https://mjg59.dreamwidth.org/42320.html ? "Circumventing Ubuntu Snap confinement" It is much better than the zdnet blog spam.
Where is the snap format documented? I found documentation about the Snapcraft tool, but I have not been able to locate a reference for the format itself.
