Peres: Wayland Compositors - Why and How to Handle Privileged Clients!
On his blog, Martin Peres has a lengthy discourse on security in Wayland, which is targeted at replacing X some day. He looks at security properties, the current state of security in Wayland, and has recommendations for Wayland compositor authors on handling privileged clients. "While I think the user-intent method has a higher security than static privilege assignation, I think both should be implemented with the latter used as a way for users to specify they are OK with potentially reducing the security of the desktop environment to let the application he/she wants to run properly. This will lower users’ dissatisfaction and should result in a better security than bypassing some security properties for all applications. I am however worried that some stupid applications may be OK with creating snapshot capabilities from the command line, without requiring the user’s input. A packager would then grant the privileges to this application by default and thus, the mere fact of having this application installed will make your desktop non-confidential anymore." (Thanks to Patrick Guignot.)