Canonical has been talking up Snaps, a new type of package format featured in Ubuntu 16.04 LTS. “Users can install a snap without having to worry whether it will have an impact on their other apps or their system,” reads Canonical’s announcement. But this isn’t true, as prominent free software developer Matthew Garrett recently pointed out.
The Snap sandbox doesn’t work on the Ubuntu desktop
Snaps are securely sandboxed, and kept separate from other parts of your system, if you install and run them on Ubuntu’s new Mir display server. Mir is used by Unity 8, Ubuntu’s convergence-enabled desktop that powers Ubuntu phone and the new Ubuntu tablet. Snaps can also be securely sandboxed if they’re run in a command-line environment.
However, Ubuntu 16.04 LTS still ships the Unity 7 desktop. It uses the X.org X server, which is based on the X11 windowing system. The old X11 system has its problems and needs to be replaced. That’s why Ubuntu is developing Mir, and it’s why other Linux distributions are developing Wayland. X11 needs to go.
Here’s the problem: Unlike Mir and Wayland, X11 doesn’t actually provide a way to limit what applications can do. A “sandboxed” application packaged as a Snap can register itself to receive keystrokes from any other application running on your desktop, so it can snoop on your passwords. A “sandboxed” application can send keystrokes, so it could launch a terminal and run a command that uploads that data to a third-party server with no restrictions.
Garrett provides a proof of concept named “XEvilTeddy,” which places a harmless-looking teddy bear on your desktop that watches your keystrokes and injects a (harmless) command when you open GNOME Terminal. Any developer could create a malicious application that uses these simple techniques for evil.
Canonical jumped the gun
There’s a reason GNOME’s similar xdg-app project—which also offers sandboxed apps—requires the new Wayland display server and won’t work with current X11 desktop. This type of sandboxing can’t be done securely with X11. That’s just the way it is.
Canonical wants to roll out Snaps today for other packaging benefits, and even Mozilla is onboard with that. But Canonical needs to make it clear to Ubuntu users that the sandbox isn’t fully functional yet. Canonical’s announcements lead Ubuntu users to think Snap packages are more secure than they actually are.
This problem won’t be full resolved until Canonical moves to the converged desktop environment with Mir and Unity 8, and the converged desktop in general. Unfortunately, this likely won’t happen for the average Ubuntu desktop user until Ubuntu 18.04 LTS in two years.