Matthew Garrett shares his thoughts on Snappy security

Apr 22, 2016 03:22 GMT  ·  By

Yesterday, April 21, 2016, Canonical unveiled the latest and most advanced version of the popular Ubuntu Linux operating system, Ubuntu 16.04 LTS, dubbed Xenial Xerus.

As we reported on the day of the release, Ubuntu 16.04 LTS (Xenial Xerus) ships with numerous new features and improvements, among which support for the innovative snap package format that Canonical has used until now only on its acclaimed Snappy Ubuntu Core operating system for embedded and IoT (Internet of Things) devices.

The snap package format is designed from the ground up to work with Canonical's Mir next-generation display server, which is used by default for the Ubuntu Touch mobile OS in supported Ubuntu Phone devices, as well as the new Ubuntu Tablet, BQ Aquaris M10 Ubuntu Edition, providing users with top-notch security.

By adding support for installing snap packages in the Ubuntu Desktop and Server operating systems, Canonical took a big step towards providing Ubuntu users with the latest software versions as soon as they're released upstream. Mozilla is the first to offer its Firefox web browser in a snap package format for Ubuntu later this year.

Snaps aren't secure under X11, claims developer Matthew Garrett

According to Matthew Garrett, a renowned CoreOS security developer and Linux kernel contributor, Canonical's new snap package format is not secure at all when it is used under X.Org Server (X Window System), which, for now, is still the default display server of the Ubuntu 16.04 LTS (Xenial Xerus) operating system.

The fact of the matter is that X11's old design is well known for not being secure, and Matthew Garrett took the time to demonstrate this by writing a simple snap package that can steal data from any other X11 software piece, in this case, anything you type on the Mozilla Firefox web browser.

  I've produced a quick proof of concept of this. Grab XEvilTeddy from git, install Snapcraft (it's in 16.04), snapcraft snap, sudo snap install xevilteddy*.snap, /snap/bin/xevilteddy.xteddy. An adorable teddy bear! How cute. Now open Firefox and start typing, then check back in your terminal window. Oh no! All my secrets. Open another terminal window and give it focus. Oh no! An injected command that could instead have been a curl session that uploaded your private SSH keys to somewhere that's not going to respect your privacy.  

For the time being, the snap format is not popular at all amongst Ubuntu fans, especially because there are very few pieces of software available in this package format that they can actually install on their new Ubuntu 16.04 LTS systems. But this will soon change, as more developers will provide snaps for their apps, so Canonical needs to do something about the security of snaps in Ubuntu when using X11.

This is yet another reason why most of the GNU/Linux distributions should switch to the Wayland or Mir display servers by default as soon as possible, especially now that most of the desktop environments support them, such as GNOME and KDE. In the meantime, the security of snaps remains unaffected for the Ubuntu Server operating system, which is usually used without a display server.

Update: We followed Mr. Garrett's instructions on creating the xevilteddy snap with Snapcraft in Ubuntu 16.04 LTS (Xenial Xerus) with all updates applied. The snap was successfully created and installed. We can confirm, as you can see from the screenshot below, that indeed the xevilteddy app can steal everything you type in another X11 software piece, and possibly use cURL to send your SSH keys to a remote site.

Xevilteddy steals all of your secrets
Xevilteddy steals all of your secrets

Xevilteddy snap (2 Images)

Snappy in Ubuntu 16.04 LTS
Xevilteddy steals all of your secrets
Open gallery