53

After reading

Xorg becomes the default display server again

and considering the security risk of xorg, I am wondering why the developers left Wayland. The fact that a few programs do not work on Wayland does not justify such a security risk. Any low permission program will have your password and they can enjoy it.

Does any body know why Wayland or any other alternative could not continue with Ubuntu and why this risk is tolerated?

kloddant
  • 143
  • 4
ar2015
  • 825
  • 2
  • 7
  • 10
  • 14
    The primary reason for the move to wayland was not security, but a more modern architecture which fixes quite a lot of X11 quirks (i.e. having multiple context menus open at the same time). Security is one advantage, but not the only one and for most people not the most important one. For the switch back see the answer from @forest. When things don't work well yet, you should not replace such an important component. Especially since Ubuntu had a lot of bad experience in the past when they were an early adopter of pulseaudio. – allo Apr 17 '18 at 13:33
  • 33
    You seem to believe that 1) that security risk was (relatively) recently discovered 2) that wayland completely fixes it 3) that said security risk is really dangerous 4) that the move away from X was to fix that security risk. I'm afraid all 4 your assumptions are flawed. This has been known for *decades*, and it is a pretty acceptable flaw. Sure: users that will run/install anything they come across will suffer from it, but smarter users will probably be affected by different issues, since when that flaw can be exploited is already game over. – Bakuriu Apr 17 '18 at 18:50
  • 1
    @Bakuriu It is not game over once someone has local access to X11. Because it can be accessed over the network (even if it is not really network transparent), there have been a few instances where attackers could access it over certain browsers in specific circumstances (where it was actually exploited in the wild). Also, someone may have access to X11 but only for an unprivileged user. A smart user will not run programs of different security domains under the same X server. – forest Apr 18 '18 at 02:57
  • 1
    @forest I'm not aware of any recent Linux distribution that lets X listen on the network by default; Debian (on which Ubuntu is based) hasn't for maybe two decades. Locally, clients connect to the X server over a Unix socket which demands authentication (see `man xauth` for details), so other users cannot connect to your X server and grab your keypresses. So under most circumstances, a program that can access your X server to grab keys is already running locally under your user, which is why I believe Bakuriu called that scenario game over. Where does your interpretation differ? – marcelm Apr 18 '18 at 22:00
  • @marcelm My memory of this comes from years ago, so it could very well be before unix domain sockets were commonly used for Xorg. – forest Apr 19 '18 at 02:20

3 Answers3

85

They are doing this because the next release is an LTS release, which means stability is the primary concern. Xorg has a good track record of stability, whereas Wayland is still (relatively) new. This decision is not permanent and does not mean Ubuntu has given up on using Wayland, just that it has delayed it. You can also opt to use Wayland instead of Xorg if you would like.

From Ubuntu Insights, the three primary reasons for using Xorg by default are:

  1. Screen sharing in software like WebRTC services, Google Hangouts, Skype, etc works well under Xorg.

  2. Remote Desktop control for example RDP & VNC works well under Xorg.

  3. Recoverability from Shell crashes is less dramatic under Xorg.

You will still be able to use Wayland and it is still pre-installed:

The Wayland session will still be available, pre-installed, for people to use, but for our ‘out of the box’ users the Ubuntu experience needs to be stable and provide the features they have come to expect and use in daily life and Xorg is the best choice here, at least for 18.04 LTS, but for 18.10 we will re-evaluate Wayland as the default.

Community
  • 1
forest
  • 64,616
  • 20
  • 206
  • 257
  • 21
    According to Wikipedia, Wayland was first released 30 September 2008. That's almost **ten years ago**... :( – RonJohn Apr 17 '18 at 13:39
  • 41
    @RonJohn that just shows how difficult such a project is, regardless of how necessary it is for the ecosystem. It takes years to reach trustworthy stability. And by the way Wayland 1.0 was released "only" on 22 October 2012. Wayland for the win! – Ramon Snir Apr 17 '18 at 13:47
  • 11
    @RonJohn, X11 was first released in 1987; X386 (the original version of what is now Xorg) was released in 1991. Ten years isn't a lot of time to try to catch up to 27 years of development. – Mark Apr 17 '18 at 18:52
  • 6
    That's very nice when a company thinks of users so much, unlike other OS making companies who don't allow their users to choose what they want from software, restricts them to their own "vision", and give no option to choose for themselves. Linux should become more popular and used. – wha7ever Apr 17 '18 at 18:52
  • @Mark honestly, how active is Xorg development? – RonJohn Apr 17 '18 at 18:56
  • 2
    @RonJohn It's decently active. You can `git clone git://anongit.freedesktop.org/git/xorg/util/modular` to see recent commits for yourself. – Nic Apr 18 '18 at 01:37
  • 1
    @AlexL to be fair, the users are more technical savvy and are fully aware that things can break and aren't afraid to "get their hands dirty" when they do. Most windows/mac users would be clueless if something like their display server breaks. – Benjamin Gruenbaum Apr 19 '18 at 09:35
  • @BenjaminGruenbaum for a start Windows doesn't really have a display server, as it was designed to *be* a window manager first and multi-process/multi-user operating system second. – OrangeDog Apr 19 '18 at 10:47
  • @RonJohn Begin a fedora user I can verify that there are still *plenty* of problems with using wayland as the default graphics server. Lots of stuff is just wonky and have weird artifacts. – Clearer Apr 19 '18 at 12:03
  • @BenjaminGruenbaum True. But if people pride themselves in being technologically advance they have no excuse not to learn how their beloved technology works/functions. People want security, customization, no tracking of their info, etc, but are unwilling to spend time to educate themselves about Linux. I am almost sure Linux would become more stable if it would get more following. – wha7ever Apr 19 '18 at 13:38
27

@Forest's answer is helpful but I'd like to address the security perspective.

While there is a security risk, it's likely considered an acceptable risk, and possibly a feature, as mentioned in @BenCreasy's comment. It's clearly acceptable enough such that Xorg has been the default display server on many distributions for many years.

The primary concern seems to be that a process running as a user can log all keystrokes entered by the user from other processes, which may include passwords or other secrets. However, with a standard threat model, to get to the point where this could be used, you've already trusted and allowed the program to run as your user. It could do much nastier things than simply log keystrokes. Therefore, while an oversimplification, it's like saying "there's a security vulnerability in the system because running this malicious program gives me a virus".

However, this is not the best model, and is why Wayland attempts to solve the issue.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/76320/discussion-on-answer-by-multithr3at3d-why-has-ubuntu-18-04-moved-back-to-insecur). – Rory Alsop Apr 20 '18 at 10:56
  • @JimmyJames -When you say "It's not the case that ability to capture the information that is already available to a running browser from a script or extension would imply, require, or otherwise be equivalent to being able to being able to modify the system. Access to information is typically easier to gain than control.", do you mean that if a browser plugin is malicious that it extends to the ability to modify the system? If yes, would that not mean that the malicious plugin has the ability to sniff the privileged credentials when a secondary application is run and the command is passed to it – Motivated Jan 22 '19 at 06:18
  • @JimmyJames - For example, if i have an terminal emulator running and the command `sudo` is passed with root credentials, would/can it not result in the credentials being captured to execute other malicious application? – Motivated Jan 22 '19 at 06:19
5

I am wondering why the developers left Wayland

At least on some computers some programs do not work properly (or even do not work at all) when using Wayland (while the programs work fine on Xorg):

Bug report #1731102 filed on Canonical's bug reporting site "launchpad.net" even describes that nearly all programs did not work correctly on the user's computer.

(I myself had similar experiences with Wayland however only some programs caused problems.)

Obviously for the developers of Ubuntu it is more important that Ubuntu works correctly on every computer than getting rid of a potential security risk (not knowing if the use of Wayland will introduce new security risks - of course).

the security risk of xorg

The security risk described in your link is also present in Microsoft Windows (up to Windows 7).

So maybe that security risk is not considered to be too critical.

Martin Rosenau
  • 339
  • 1
  • 5
  • 11
    Your personal experience should be more of a comment than an answer, as it does not answer OP's question. It is just a review of Wayland. – forest Apr 18 '18 at 06:19
  • 1
    Indeed. While Wayland is also completely unusable on my system, this answer must undergo a pretty big revision to stay on topic – pipe Apr 18 '18 at 07:21
  • +1 didn't know that: `The security risk described in your link is also present in Microsoft Windows.` – ar2015 Apr 18 '18 at 07:52
  • 1
    This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post. - [From Review](/review/low-quality-posts/117924) – LvB Apr 18 '18 at 13:09
  • @LvB I re-worked my complete answer. Could you review the changes? Thanks. – Martin Rosenau Apr 19 '18 at 06:15
  • @forest I re-worked my complete answer. Could you review the changes? Thanks. – Martin Rosenau Apr 19 '18 at 06:15
  • The answer is still incorrect. You cannot modify Xorg to remove the ability to disable keylogging (and removing extensions does not require modifying the source, just adding it to the extension blacklist file). I imagine you are talking about the XTEST extension? All it is is an example extension. The X11 protocol itself **fundamentally does not allow for isolation.** No one patches Xorg to "disable" the ability to log keystrokes because it is fundamentally impossible without completely rewriting the X server (aka creating Wayland). See also the horribly failed XSECURITY debacle. – forest Apr 19 '18 at 06:17
  • @ar2015 The security risks are present in Windows, but to a lesser extent. Windows at least makes an attempt to avoid this kind of keylogging, but I believe there are ways to bypass it. To say that the risks described in the link are not present in Microsoft Windows is simply incorrect. – forest Apr 19 '18 at 06:24
  • @forest I removed the part with "Xorg may be modified". As far as I understood correctly the "security risk" is that one application can read the keyboard while you type a password in a console-based application. Right? Under Windows I could do this using the `GetAsyncKeyState()` API. Without using any X11 extensions however this seems to be much more difficult to implement under X11. – Martin Rosenau Apr 19 '18 at 06:37
  • @MartinRosenau It also allows an application to inject any events as well as intercept them. Even without an X11 extension, you can still use things like `XQueryKeymap()`. On Windows, if I recall, you can only log keys for the currently selected window (or perhaps security domain). – forest Apr 19 '18 at 06:39
  • @forest Thanks. I was not aware of `XQueryKeymap()`. Under Windows I used `GetAsyncKeyState()` to implement some "hot-key" feature in a self-written program: Whenever some certain key is pressed the program (running in the background) will do some action. At least in Windows 7 this works independently of the program currently being "in foreground". So you can read the keyboard status of any key at any time. (Some virus scanners however add the feature "prohibit reading the keyboard status".) – Martin Rosenau Apr 19 '18 at 06:46
  • Shamelessly stolen from a [comment](https://news.ycombinator.com/item?id=7608132) on HN: `GetAsyncKeyState will not reflect input that is sent to an elevated window. So, it does not break UIPI.` Not that UIPI is perfect of course, but it is far better than contemporary X11 which has _no_ equivalent. – forest Apr 19 '18 at 06:48
  • @forest This feature seems to be new in Windows 8 or Windows 10 so I edited my answer again. On my computer (Windows 7) `GetAsyncKeyState` definitely always returns the state of all keys (what caused bad side-effects when I forgot to close my program). Modifying an X11 server in a way that `XQueryKeymap()` returns 32 0-bytes if the request came from another connection than the one owning the keyboard focus should also not be too difficult. (`xmodmap` might not work correctly - but this should also be the case under Wayland.) – Martin Rosenau Apr 19 '18 at 06:59
  • I don't know much about Windows' isolation, so I'll take your word for it. As for X11, the X server sees no actual distinction between the different windows, since that is entirely the job of the window manager. As such, not only does Xorg not know what window is in focus, it doesn't even know what a window _is_. So there is no way for X11 to refuse to provide the key state based on this without heavy integration with the window manager, in which case you've just re-invented Wayland and libwayland. – forest Apr 19 '18 at 07:01
  • @MartinRosenau Can you try using `GetAsyncKeyState()` on a password UAC prompt? It could be that the isolation is only for privileged windows, even on 7. Also, the connection owning the keyboard state can be "locked" with `XGrabKeyboard()`, but it is not a security measure and there are numerous bypasses (which is why it's silly that some password prompts grab the keyboard). – forest Apr 19 '18 at 07:59