Bug #12297
Make Tails Server compatible with Wayland
0%
Description
In Wayland, only the local user (amnesia) is able to run UI applications. It is not planned that this will be changed, for more information see this ticket.
So, the previous plan to run tails-server as a dedicated user with polkit rules to allow priviliged actions is not compatible with Wayland.
There seem to be 4 options:
1. Run tails-server as a dedicated user with polkit rules, using some workaround like `xhost si:amnesia:tails-server-user` or `XDG_RUNTIME_DIR=/run/user/$MY_UID`. This would make use of XWayland instead of Wayland. We would have to investigate further implications of this.
- Pro: Almost no additional coding required
- Contra: Still has to be investigated
2. Create polkit rules to allow amnesia to execute the required priviliged actions. This would allow all apps to execute these actions, so we have to think about security implications. We could adjust the polkit rules to only allow the exact actions required by Tails Server, i.e. install/remove those packages required by some service in Tails Server, start/stop the corresponding systemd units, edit the config files, etc.
- Contra: This would offer a lot of attack surface to other applications.
3. Run the GUI as amnesia and the back-end as root in separate processes, and expose a reduced high-level control interface.
- Contra: This would require additional effort to implement 1. the Inter-process-communication, and 2. the reduced high-level control interface.
- Contra: The back-end would accept commands from all apps running as amnesia user, which might offer attack surface (but certainly less than option 2, because the interface can be reduced more fine-grained).
4. Run the GUI as amnesia and the back-end as root in separate processes, and expose a low-level control interface, that only accepts commands from the GUI process. This could be done with something like the Tor control port filter, which handles incoming requests depending on the AppArmor profile currently applied to the client.
- Contra: This would require additional effort to implement 1. the Inter-process-communication, and 2. the “control-port-filter”-like functionality (maybe the Tails control port filter proxy could be reused for this?).
- Pro: The back-end would accept commands only from the Tails Server GUI
5. Run the GUI as amnesia and the back-end as root in separate processes, and expose a reduced high-level control interface, that only accepts commands from the GUI process.
- Contra: This would require additional effort to implement 1. the Inter-process-communication, 2. the reduced high-level control interface, and 3. the “control-port-filter”-like functionality.
- Pro: The back-end would accept commands only from the Tails Server GUI and has a reduced control inteface (providing some fallback security in case the control filter is circumvented)
Subtasks
History
#1 Updated by segfault 2017-03-04 19:31:57
- Affected tool set to Server
#2 Updated by segfault 2017-03-04 19:32:10
- Subject changed from Make Tails-Server compatible with Wayland to Make Tails Server compatible with Wayland
#3 Updated by intrigeri 2017-03-05 09:38:26
> 3. Run the GUI as amnesia and the backend as root in separate processes, and expose a reduced high-level control interface.
> * Contra: The back-end would accept commands from all apps running as amnesia user, which might offer attack surface (but certainly less than option 2, because the interface can be reduced more fine-grained).
Note that this IPC interface can be limited to the Tails Server GUI, just like in option 4.
You may choose to include this provision in option 3, or call it option 5.
#4 Updated by segfault 2017-03-05 12:54:33
- Description updated
> Note that this IPC interface can be limited to the Tails Server GUI, just like in option 4.
> You may choose to include this provision in option 3, or call it option 5.
Sure, I added it as option 5. This only provides additional security in case the control filter was circumvented, right? Personally, I feel like leaning towards option 1 or 4, because they require the least additional work and increase of code complexity.
#5 Updated by intrigeri 2017-09-07 08:10:38
- Parent task set to Feature #12213
#6 Updated by intrigeri 2017-09-07 08:12:22
- Target version changed from Tails_4.0 to 2019
(Like the parent ticket, assuming we don’t have to switch to Wayland earlier.)
#7 Updated by segfault 2018-02-10 09:32:57
- related to Feature #5688: Tails Server: Self-hosted services behind Tails-powered onion services added
#8 Updated by intrigeri 2018-02-11 06:52:57
> Related to Feature Feature #5688: Tails Server: Self-hosted services behind Tails-powered onion services added
What’s the benefit of adding such a “Related to” relationship on tickets that have “Affected tool: Server” already?
#9 Updated by segfault 2018-02-11 10:23:52
intrigeri wrote:
> > Related to Feature Feature #5688: Tails Server: Self-hosted services behind Tails-powered onion services added
>
> What’s the benefit of adding such a “Related to” relationship on tickets that have “Affected tool: Server” already?
It fits better the way I use redmine. With the relationship set, I can see all the issues I want to work on for Tails Server on the Feature #5688 page. To see the tickets with “Affected tool: Server”, I have to create a custom search, which I don’t look at that often (not once yet, I think). Is this a problem?
#11 Updated by intrigeri 2018-08-19 10:14:51
- Target version deleted (
2019) - Parent task changed from Feature #12213 to Feature #5688
I think it’s the other way round: time has flown and IMO it should now be a requirement, before Tails Server is merged, that it’s compatible with Wayland. Rationale: we can’t afford increasing our technical debt and IMO adding blockers to switch to Wayland (before GNOME starts bitrotting on X.Org) would do exactly that.