The new Ubuntu distribution is out, along with the new Snap package format for improving application and OS security. There is already a claim that Snap can be circumvented on Ubuntu, but the truth is a little more complex.
Matthew Garrett, a well-known Linux kernel contributor and a security developer at CoreOS, took a swipe at Ubuntu Snap in a blog post Thursday, saying, "Any Snap package you install is completely capable of copying all your private data to wherever it wants with very little difficulty." He claimed that installing Snap packages while using X11 display server was insecure, and he put together a proof-of-concept showing how a benign-looking application can log keystrokes typed into a totally different application (in this case, Firefox).
"An application that has no access to any of your private data can wait until your session is idle, open an unconfined terminal, and then use curl to send your data to a remote site," Garrett warned.
Garrett's point is somewhat valid. The security risk isn't from Snap packages, but from the fact that X11 is insecure -- how X11 trusts applications is a well-known security risk. Snap doesn't change X11's trust model, so the fact that applications can see what other applications are doing isn't a weakness in the new package format, but rather X11's.
It goes right back to being careful when downloading unknown binaries or executing commands from the Internet. Desktops, by their very nature, are a lot less secure: Install packages at your own risk. Linux users are fully aware of this.
In the lead-up to the distribution's release, Canonical claimed that Snap applications are isolated from the rest of the operating system. "The security mechanisms in snap packages allow us to open up the platform for much faster iteration across all of our flavours as snap applications are isolated from the rest of the system," Olli Ries, head of Canonical's Ubuntu client platform products and releases, wrote in an earlier post. Garrett is correct in noting that Canonical is being disingenuous here; Snap applications are not fully sandboxed because Snap has full access to any other X11 application.
X11 is currently the default display server of the Ubuntu 16.04 LTS (Xenial Xerus) operating system. Canonical and other Linux distributions have been working on Wayland, which is not yet ready for prime time, and Mir, used in mobile; for the time being, most Ubuntu users are still on X11. Ubuntu Server is typically used without a display server, so the latest contretemps doesn't apply to server setups.
Snap's security advantage comes from the fact that the application is packaged with all of its dependencies. When the application is updated, the changes stay within the package, so the rest of the operating system and other applications are not impacted by the updates. In cases where applications use different versions of the same library, these kinds of atomic packages are handy because there's no chance of applications breaking when the library version is changed. The idea is that application owners can push out updates to users faster.
"Users can install a Snap without having to worry whether it will have an impact on their other applications or their system," Ries said in that earlier blog post.
It remains to be seen whether Snap will catch on, or if the Ubuntu faithful would stick with .deb packages. At the moment, there aren't many software applications available in this package format. Mozilla has committed to distributing its Firefox browser as a Snap package for Ubuntu later this year.
The question is whether developers will new Ubuntu 16.04 LTS systems. But this can change if developers decide to embrace the Snap model. If Snap becomes more popular, Canonical will have to make decisions regarding its choice of the display server or consider how to protect Snap packages from X11's faults.