ChanServ changed the topic of #wayland to: https://wayland.freedesktop.org | Discussion about the Wayland protocol and its implementations, plus libinput
<DemiMarie>
kennylevinsen: clipboard access extensions are a serious security risk when used with SSH, unless the clipboard content is transmitted via an out of band mechanism.
<kennylevinsen>
DemiMarie: see OSC-52
<DemiMarie>
kennylevinsen: which has known security problems
<DemiMarie>
When using a non-sandboxed application (which is most CLI applications), it really is more secure to connect to the Wayland compositor directly, rather than to communicate with the terminal emulator.
<kennylevinsen>
not sure I agree
<kennylevinsen>
But you have the same security issue when using e.g. waypipe, rdp, SPICE, …
<emersion>
the wayland socket can only grant extra privileges compared to the escape codes provided by the wayland terminal emulator
<DemiMarie>
emersion kennylevinsen: the difference is that the Wayland socket is only available to local applications, whereas the escape codes are available to remote applications.
<kennylevinsen>
I think Demi’s idea is that it would then not work over ssh, which would then of course be extremely annoying over ssh
<zamundaaa[m]>
Demi: unless you give all apps clipboard access all the time, you can't make that work
<zamundaaa[m]>
You need a focused surface to get clipboard access, which terminal applications don't have, local or not
<emersion>
i mean… the whole point is to make it work over ssh
<DemiMarie>
emersion: seriously?
<DemiMarie>
that was not at all what I was expecting
<emersion>
the whole point of OSC-52, yeah
* DemiMarie
is very, very surprised
<emersion>
(and also make it WSI-independant, i suppose)
garnacho has quit [Ping timeout: 480 seconds]
<emersion>
(but CLI apps have long just invoked xclip and such)
<DemiMarie>
to me, the best solution is to replace the old terminal with an explicit protocol
<DemiMarie>
kennylevinsen: breaking clipboard access over SSH is the point. I don’t want remote applications to have clipboard access.
<DemiMarie>
More specifically, I don’t want them to have implicit clipboard access.
RAOF has quit [Remote host closed the connection]
<DemiMarie>
My usual assumption with SSH is that the remote host is less trusted with the local one and should not be able to access the user’s clipboard without user confirmation.
<DemiMarie>
That said, this is a valid difference in threat model.
<emersion>
you grant any webpage clipboard access
<emersion>
ssh is not very different here
<zamundaaa[m]>
Demi: like I said, you can't do that without opening up more security holes in Wayland
<mclasen>
who knows what you grant a webpage nowadays...
<zamundaaa[m]>
If there's issues in how terminal emulators grant access to the clipboard, then those issues have to be fixed
<DemiMarie>
emersion: I believe I don’t, actually. I disable that via a Chrome policy.
<emersion>
you can disable OSC-52 in the same way
<DemiMarie>
emersion: what I would like (and was very easy with X11) is to have it enabled for local apps _only_.
<emersion>
i don't see how wayland changes things
<DemiMarie>
emersion: `wl-clipboard` not working would be annoying
<DemiMarie>
but this is also a very valid difference of opinion
<emersion>
i don't understand
<DemiMarie>
zamundaaa: I would use security-context to restrict sandboxed apps while unsandboxed apps have full access.
<emersion>
you want to make OSC-52 not work? and you're talking about wl-clipboard, which isn't used by OSC-52?
<mclasen>
there seem to be two opposing opinions here
<emersion>
disabling OSC-52 would be done by configuring the terminal emulator
<emersion>
or is it something else that you want?
<DemiMarie>
emersion: if wl-clipboard doesn’t work, then OSC-52 is the only way (that I know of) for a _local_ Wayland application to access the clipboard, but that is also available to _remote_ Wayland applications.
<mclasen>
1) osc 52 makes the clipboard accessible to remote apps - bad
<mclasen>
2) xclip makes the clipboard unconditionally accessible to any local app - good
<mclasen>
at least that is how I understand what DemiMarie is saying
<DemiMarie>
mclasen: all _unsandboxed_ local apps
<DemiMarie>
to me, there is no point in protecting from something that could write to ~/.profile.
<mclasen>
there's no sandboxing in X to limit that
<DemiMarie>
mclasen: am I being confusing here?
<DemiMarie>
My assumption is that sandboxed apps don’t have X11 access.
<mclasen>
yes, if your compositor does the security contex thing, you could make that distinction
<DemiMarie>
exactly!
<mclasen>
I don't think it is very useful
<emersion>
it allows GNOME to reliably identify apps asking to intercept global compositor bindings
<emersion>
even for GNOME, it is useful
<emersion>
(for non-GNOME, it's even more useful)
<mclasen>
we'll use a portal
<emersion>
even then, it allows GNOME to reliably identify apps setting their xdg_toplevel.app_id
<mclasen>
there's great utility in being able to identify apps
<mclasen>
but I don't see why my compositor needs ot be involved in that
<mclasen>
the only reason would be to pretend that dbus doesn't exist
<emersion>
thanks for the productive comments
* emersion
checks out
<mclasen>
but we can agree to disagree on that
<Company>
are we doing nesting of security contexts?
<Company>
the biggest problem with all of this is that in the mind of users, "the clipboard" is a global thing
<Company>
so whatever method anyone comes up with for securing it will be unintuitive because it breaks that assumption
<Muzer>
cheers for the pointers, I've patched out the checks in kwin so now I can have the X clipboard work as it did in X :)
<Muzer>
works a treat
<Muzer>
incidentally to add to the debate, FWIW I use ssh x forwarding at work. Literally the only reason I do this is to get clipboard integration between my remote vim instance running on a Linux server and my work-issued Windows machine (via WSL), along with the occasional command-line use of xclip
<DemiMarie>
Company: you can ask Qubes OS how to de-train users of that assumption
<Company>
I don't think users want to be de-trained
YaLTeR[m] has joined #wayland
<YaLTeR[m]>
arguably if you're using a system that clearly puts security front and center, you're already expecting things to not always work
<Company>
the first interop thing everyone always does is make the clipboard work
<DemiMarie>
YaLTeR: that is somewhat true, but we work hard to make as much work as possible.
<Company>
so you can copy/paste into/out of your vms
<zamundaaa[m]>
Company: that's not really true actually, spice-vdagent doesn't have any Wayland support yet
<zamundaaa[m]>
It only works on Gnome because it gives X11 apps unconditional access to the clipboard
<DemiMarie>
Qubes OS does have a global clipboard, but access to it is explicit, not implicit, which solves the security problems.
bookworm_ has joined #wayland
bookworm has quit [Remote host closed the connection]
nysach has joined #wayland
nysach has quit [Remote host closed the connection]
nysach has joined #wayland
nysach has quit [Remote host closed the connection]
lockywolf has quit []
lockywolf has joined #wayland
mclasen has quit [Quit: mclasen]
mclasen has joined #wayland
RAOF has joined #wayland
riteo has quit [Ping timeout: 480 seconds]
Company has quit [Ping timeout: 480 seconds]
fmuellner has quit [Ping timeout: 480 seconds]
Company has joined #wayland
Guest2530 has quit [Remote host closed the connection]
cool110 has joined #wayland
cool110 is now known as Guest2551
<DemiMarie>
Regarding enums: could there be an on_out_of_range attribute in the XML, which would both specify that out of range values are a protocol error and specify the specific error to use?
nerdopolis has quit [Ping timeout: 480 seconds]
Brainium has quit [Quit: Konversation terminated!]
Guest2551 has quit [Remote host closed the connection]
<Muzer>
<YaLTeR[m]> arguably if you're using a system that clearly puts security front and center, you're already expecting things to not always work <-- indeed but since Wayland is being touted by distros as a general-purpose replacement for X I don't think most users would perceive it as "putting security front and centre", or even want that when it involves compromising functionality. After all, realistically for most people, if someone has access to your user,
<Muzer>
it doesn't matter whether or not they have access to the clipboard, it's pretty much game over. You can do all sorts of damage with someone's browser cookies without even having to know their passwords. So with this in mind this particular brand of clipboard security seems particularly obtuse to me... which is why I patched it out :) given kwin already has user-configurable options for allowing X apps global access to the keyboard, I think I might try to
<Muzer>
upstream a config option to the same effect for the clipboard.
<YaLTeR[m]>
I was talking about qubes os
<Muzer>
ah sorry
<Muzer>
I saw that message but didn't make the contextual link
<kennylevinsen>
well, any general purpose OS must put security front and center, QubesOS just takes that further and makes tradeoffs that the average user might deem unacceptable
<kennylevinsen>
variation is good though - people have different tastes, preferences, and (in case of security) things to worry about
<Muzer>
absolutely agreed
<Muzer>
for the example of my work usage of the X11 clipboard especially - if someone external has access to my X forwarding session that's already a horrendous security breach that could have huge implications. The fact that they can also get access to the code/log lines/whatever I'm copying between Windows and the remote development server is so far down my list of priorities at that point that I'm not really willing to make any usability sacrifices to prevent it...
<Muzer>
(of course you could argue that's a moot point as I suspect this sort of use case is going to be one of the last hold-outs of X over wayland, but whatever)
<kennylevinsen>
note that there is a difference to variation vs. adding big toggles to change fundamental behavior
<kennylevinsen>
if compositors in general had a "security off" button, apps would start getting written to require security to be off, and then users would no longer be able to use their system with security on, making it all for nothing
<Muzer>
perhaps it's my imagination but I've always found KDE to be fairly keen on its big toggles for fundamental behaviour, by comparison to other desktop environments
<kennylevinsen>
Those toggles are not fundamental behavior, they're just preferences
<Muzer>
what is really the difference here between what I'm proposing and the existing toggles for allowing legacy X apps global access to the keyboard and mouse?
<Muzer>
because that toggle already exists
<kennylevinsen>
Toggles for fundamental behavior is like compiling your kernel without filesystem permission support, so everything is free for all
<kennylevinsen>
there's a big difference between *that*, and changing between single-click or double-click, moving your systray, changing your fonts, etc.
phodius has quit [Quit: Page closed]
<kennylevinsen>
The KDE toggle for global keyboard and mouse access is already a very special workaround that I don't think anyone else has - and I don't think KDE *wants* to have it either, I imagine it's just temporary
<kennylevinsen>
but I can't comment on that
<zamundaaa[m]>
With the adoption rate of the global shortcuts portal, "temporary" will be a long time. But yes, it's not supposed to stick around forever
___nick___ has quit [Remote host closed the connection]