Re: gnome-keyring Request for comments on security of authentication/authorisation UIs
- From: "Dodier-Lazaro, Steve" <s dodier-lazaro 12 ucl ac uk>
- To: Allan Day <allanpday gmail com>
- Cc: "gnome-shell-list gnome org" <gnome-shell-list gnome org>, "gnome-keyring-list gnome org" <gnome-keyring-list gnome org>, "desktop-devel-list gnome org" <desktop-devel-list gnome org>
- Subject: Re: gnome-keyring Request for comments on security of authentication/authorisation UIs
- Date: Tue, 1 Apr 2014 18:55:17 +0000
Hello,
One does one keep informed about this? Where do I sign up?
That's a good question. You can subscribe to the wiki page that I
linked to, follow this mailing list, and follow Planet GNOME. I'm sure
that there will be traffic on this topic once we make progress.
Done, thanks. It seems to me there is no specific place to discuss the relationships between sandboxing and
"data sharing models" at the moment. I don't want to just keep in touch, in a sense, but I'm very willing to
contribute time and effort (including coding stuff) to make sandboxed apps happen. I happen to be paid to do
exactly that (though at the "research prototype" level of quality, not production-ready code).
Questions that come to mind are: should there be a specific place to discuss sandboxing and its implications
(seems to me all the interested parties are already GNOME devs, except maybe for Dan Walsh and Ikey Doherty)?
Is this ML ok to use? Do you welcome contributors external to GNOME? The question is maybe a bit stupid, but
I've had bad experiences with Ayatana and I wouldn't want people to think that I'm a guy coming out of
nowhere stepping on their toes and contributing nothing useful.
I don't think we've fully decided what kind of mode we'll use for
"sharing". You're right that it could be purely about publishing, or
sharing between people. Another model is that sharing becomes the
generic action for passing data between apps, or between apps and
devices: eg. a document viewer could say "share this document with my
printer".
I've been browsing through the desktop-devel archives and found a post by Ikey about sandboxing apps, it
seems you guys discussed already quite a bunch of things related to how Portals operate. I now understand
better what you meant by using a Share mechanism.
Basically I think the following principles must hold true to ensure a mechanism to share/access data cannot
be abused by a sandboxed app:
- there must be an end-to-end trusted path between the user's input and the system (hear, OS or compositor)
and between the system and output to the user
- or there must be some form of indirection outside of the app's control to modify / request system/user data
Contrarily to Ikey's proposal, I think a lot of this can be achieved transparently for app developers (though
probably not all of it). For instance for file dialogs I'm quite confident that all apps that only using the
standard features of the GtkFileChooserDialog class could be ported to having a Portal-provided dialog. I'm
trying right now to write a subclass that turns every method into a DBus call for a server to recompose the
dialog on its end (which is not w/out security implications e.g. DoS attacks but let's leave this aside for
now). With such a dialog, the provider could just do a mount bind to the selected file in the sandbox and
then return the filename for the app to transparently open the file. Of course many apps would still fail
because they do non-standard stuff, but at least apps that behave properly would avoid rewriting with a new
API. All it takes is linking to a new GTK+ lib.
The print dialog could work likewise since you'd normally get a Print dialog
(https://developer.gnome.org/gtk3/stable/GtkPrintUnixDialog.html for Linux at least). So, adding an
indirection such as "Share with printer" that then pops the dialog may be unnecessary for this case?
Now, it seems very easy when looking at apps outputing some information for some other component of the
system. All you need is them to use an API that opens a DE-controlled GUI. Likewise the very basic file
opening use case maps very well. I'm just starting to think about more complex file usage models, and about
how to support them. For instance some apps naturally open and process large amounts of files. A music player
typically wants to scan entire folders for relevant files. If you take Exaile's collection manager
(http://sidi.mupuf.org/files/exaile-collection.png), this could probably be made into a third-party
dialog/widget* that exposes folders, and restricted to a specific mime type or read-only access with just a
few clicks. If that was proposed as a GTK widget then apps could be tempted to outsource this aspect to the
GTK widget and these apps could then be sandboxed without disruption?
Other typical use/cases are when a user processes some data from one app to another (e.g. download an image,
crop/modify it, include it into a document). In this case a generic "Share with ... app" mechanism may be
more powerful and nicer than the current save file to FS, open next app, open file in app, save modified
file, etc. workflow. The hardest use case for me so far is when you manipulate some file in two apps at a
time (maybe typing some document in an editor and then looking at the outcome in a viewer). The apps would
need to share their sandbox, or to read and write simultaneously on the FS or use IPC.
Even more annoying use cases: assume I have a browser/music player (typical apps that use DBus to redirect
you to a running instance when you relaunch them) running in a sandbox and launch a new instance of it.
Should I be redirect to the existing app or should a new / separated process open up? Typically for a browser
you might want to manage different profiles so you can visit your bank website without worries, while for the
music player you rarely want two instances.
I don't think it should be up to users to decide what to sandbox or how apps should behave. First because
they have no clue what security risks exist out there (which I wouldn't blame them for :) ) and second
because they like to stick to defaults, so an optional sandbox would just accumulate dust in the corners of
their OS, for most of them. That's why I'm interested in first finding out whether we can design general
interactions / APIs that fit the vast majority of apps out there and for which we can write sensible default
policies. If that fails then we can fallback to optional sandboxing that's more constraining on the user and
app developer.
Would you like me to put these down on a wiki page so we can extend and find for which use cases problems
arise? This would also reduce the risk of the existing discussions being lost, should other people jump in
the train and contribute ideas.
Thanks,
--
Steve Dodier-Lazaro
PhD student in Information Security
University College London
Dept. of Computer Science
Malet Place Engineering, 6.07
Gower Street, London WC1E 6BT
OpenPGP : 1B6B1670
________________________________________
From: Allan Day <allanpday gmail com>
Sent: 01 April 2014 09:49
To: Dodier-Lazaro, Steve
Cc: gnome-shell-list gnome org; desktop-devel-list gnome org; gnome-keyring-list gnome org
Subject: Re: Request for comments on security of authentication/authorisation UIs
Dodier-Lazaro, Steve <s dodier-lazaro 12 ucl ac uk> wrote:
...
I'm afraid we don't currently have a clear plan for how all the pieces
will fit together, but we do have ideas and are looking to develop a
concrete plan for the UX in the near future.
One does one keep informed about this? Where do I sign up?
That's a good question. You can subscribe to the wiki page that I
linked to, follow this mailing list, and follow Planet GNOME. I'm sure
that there will be traffic on this topic once we make progress.
One relevant area is
sharing [1], as the UX mechanism through which it is possible to share
data between applications.
Interesting. It seems these UIs play a specific goal though, maybe better coined
as "Publishing" to specific destinations made compatible one by one. There are
many different models for how an app may process the user's data and how you could
combine apps. I've been trying to think of sandboxing in terms that don't involve
me having to figure out / describe / support these models at all but there is a
lot of research to do to find the right approach to data sharing for sandboxed apps.
There isn't a single existing product I'm happy with, but this is maybe off-topic
for now (very happy to discuss it elsewhere though).
...
I don't think we've fully decided what kind of mode we'll use for
"sharing". You're right that it could be purely about publishing, or
sharing between people. Another model is that sharing becomes the
generic action for passing data between apps, or between apps and
devices: eg. a document viewer could say "share this document with my
printer".
Allan
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]