
Ubuntu 16.04's new Snap format is a security risk - AdmiralAsshat
http://www.zdnet.com/article/linux-expert-matthew-garrett-ubuntu-16-04s-new-snap-format-is-a-security-risk/
======
seeekr
Isn't the article's title misleading? It made me think that the new snap
format is introducing an additional security risk, when what's really the case
is that snap _on Ubuntu desktop_ fails to provide any additional security over
other packaging formats when the packaged binary uses X11 because the latter
is insecure by default in certain ways (the example given is key logging, not
sure if there's other ways). I understand that some important Ubuntu person
made a claim that Ubuntu's Snap is improving security, and that it's
reasonable to counter that and state when and how it does not justify that
claim, but choosing a non-misleading and somewhat click-bait-y title would
still be appreciated. (At least when posting it to HN.)

~~~
mangecoeur
Accurate title would be "Snap packages can't address security failings of X".

~~~
niemeyer
Indeed, or any other case where the application is granted permission to do
something sensitive (camera?) and abuses that trust. Even in those cases,
though, it is an improvement to know the access exists, and to have control
over it.

Some more details about snap interfaces:

[http://blog.labix.org/2016/04/22/snappy-
interfaces](http://blog.labix.org/2016/04/22/snappy-interfaces)

------
rdtsc
I think the author latched on to a PR piece from 16.04 release. Yeah that has
the word security in it a few times.

But X11 was there before and installing random packages on your Desktop (or
piping stuff from curl to a root bash, etc) is not secure. That is not
controversial, I'd think.

> Matthew Garrett, a [...] security developer at CoreOS.

There might be a slight conflict of interest here. Although I am all for
exposing security threats and issues regardless, Ubuntu has been advertising
LXD, Juju and such technologies which somewhat compete with CoreOS, so I can
understand why they'd want to move quickly to discredit it.

The whole adorable teddy bear thing is a bit childish perhaps. "Oh look how
evil the new Ubuntu is, it lets evil teddy bears eat your data".

~~~
danieldk
_But X11 was there before and installing random packages on your Desktop (or
piping stuff from curl to a root bash, etc) is not secure. That is not
controversial, I 'd think._

The point that canonical is trying to push that installing random packages is
more secure with snap/snappy because they are sandboxed (to some extend).
However, as Matthew Garrett points out, this sandboxing is practically useless
as long as you are running on X11, since a sandboxed program can send
keystrokes to other applications, grab keystrokes, do window grabs, etc. So it
still has as much control as unsandboxed applications as long as they are
running in a normal X11 session.

He is right to call them out on this.

 _There might be a slight conflict of interest here._

Since he is actually stating (known) facts about X11's security model, I don't
see the problem.

~~~
rdtsc
> is more secure with snap/snappy because they are sandboxed (to some extend).

In a press release. Yes it is more secure but when running on a desktop with
X11 will have same issues as before with X11.

Imagine a press release for 16.04 that all of the sudden starts going into
details about X11 vulnerabilities. Who does that?

I am can see refuting a white-paper where Ubuntu makes detailed claims about
security guarantees under certain threat models but this seems like a cheap
shot to me.

Moreover under this model you can shoot down any product. "Tor provides
privacy" \-- "Ah no it doesn't, here are more details". "The new JDK is faster
than the old" \-- "Wrong! Here is a benchmark where it shows it is slower".
And so on.

------
pilif
Its not more or less of a security risk as any other binary that you download
from anywhere (or pipe into bash from curl for that matter).

Yes, it's sold as being more secure than other solutions, when it in-fact
isn't, but the headline still is clickbait because if Snap is a security risk
then everything else is too.

~~~
Beacon11
I came here to say just that. It also _does_ increase security if X isn't used
by the application in the snap (i.e. if the X11 or unity7 interfaces aren't
requested).

------
sametmax
Click bait. Snap is like Mac's .app or Windows .exe, period. It has upsides
and downsides, and they are well known.

------
pmontra
I see at
[https://developer.ubuntu.com/en/snappy/guides/security/](https://developer.ubuntu.com/en/snappy/guides/security/)
that snap applications default to run in jails. I really hope this becomes the
exception because sooner or later that would deny me to do something that I
want to do. Just imagine the file manager in a jail and the text editor in
another one. Even the browser shouldn't be completely isolated by the rest of
the system. I want to do something with the files I download, right? Or
imagine Gimp being able to read and write only to ~/gimp instead of into any
of the directories of my projects.

TL;DR: I don't want to end up with an iOS on my desktop.

However I understand that sometimes, in ways I can't figure now, I could want
to run programs in a jail. Maybe games? The music player? Skype?

But the big security risk IMHO is that vulnerable libraries are not updated
into every single snap I have. The unmaintained app will break the security of
all the system.

A not pleasant consequence of snaps is that we'll have to download upgrades
for every single snap whenever a popular .so gets updated. It's going to be
hundreds of MB instead of a few kB. This on top of the extra space required by
all those jailed apps. I better have to hurry up and buy a very large SSD.

~~~
digi_owl
Its what you will get, because the big boys in the Linux distro world is
aiming for aunt Tillie and office drones.

These days, if you want to do your thing with your Linux install there are
perhaps two big names. Gentoo and Slackware. Beyond that you get a smattering
of smaller distros on shoestring maintenance.

Sadly much of the upstream is under control of previously mentioned big boys,
and they seem to have a crusade going where only their approach matters.

------
oarsinsync
HN discussion about the blog post that this article is... discussing

[https://news.ycombinator.com/item?id=11547048](https://news.ycombinator.com/item?id=11547048)

------
szerated
This is a bad title along with a bad article. Either the author has no idea
what a package manager is supposed to do, or its intentionally clickbait.
Really disappointing.

~~~
danieldk
In Canonical's original announcement:

 _The security mechanisms in snap packages allow for much faster iteration
[across all versions of Ubuntu] and Ubuntu derivatives, as [snap applications
are isolated from the rest of the system]._

Source: [https://insights.ubuntu.com/2016/04/20/canonical-
unveils-6th...](https://insights.ubuntu.com/2016/04/20/canonical-unveils-6th-
lts-release-of-ubuntu-with-16-04/)

Canonical is selling snake oil here when it comes to the desktop. snap
applications are not isolated, because they still have full access to any
other X11 application due to X11s security model. Garret is right on calling
them out on this.

Compare this e.g. to OS X where there is both sandboxing (as in the
application cannot touch other parts of the filesystem, unless you explicitly
allow it to) and GUI isolation (applications cannot read events sent to other
applications, unless it's an accessibility application and explicitly enabled
by the user).

~~~
szerated
You have to be looking for faults in the language to be concerned over
something like this. I know everyone isn't the biggest fan of canonical, and
there are good reasons why that is. But they aren't trying to mislead anyone
here. You can't possibly try to fault Canonical for X11's "security problem".

I don't know enough about either platform to respond to your OSX comparison.
But if the concern is that they don't isolate enough then you are entitled to
that opinion. But overall this is an improvement in this regard (whether or
not its an improvement to the overall package management system is open to
interpretation).

------
bryanlarsen
Ubuntu is actively working on a solution to this problem with Mir. Is CoreOS
contributing to Wayland or Mir? If not, perhaps they shouldn't be throwing
stones.

------
timtadh
@dang: Can we point this to the source article:
[https://mjg59.dreamwidth.org/42320.html](https://mjg59.dreamwidth.org/42320.html)
? "Circumventing Ubuntu Snap confinement" It is much better than the zdnet
blog spam.

------
marssaxman
Where is the snap format documented? I found documentation about the Snapcraft
tool, but I have not been able to locate a reference for the format itself.

------
jjawssd
Fix the title

------
markshuttle
mjg59's comments are fair. ZD's headline is clickbait :)

------
Q77
Q77

