Suggestion: Rename "Fallback to X11 windowing system" to communicate security implications #627
Comments
First half: It is less secure. The documentation (F1 or "Hamburger Menu") explains it. However the documentation is not easy to discover. Related topic, FYI: 99% of the time when a flatpak uses
Shorter suggestion: "X11 windowing system if Wayland windowing system is unavailable".
General you can go to the repository where the flatpak manifest is located (usually https://github.com/flathub), search if this has already be discussed and, if not, suggest the permission change. If a flatpak that works (for you) with Wayland has only If a flatpak that works (for you) with Wayland has both |
|
I personally think a word like "only" is vital. It's not clear that this somehow overrides the X11 windowing system general option IMHO, unless the fallback option has a clearly restriction-indicating wording like, "X11 window system only if". |
Yes, exactly, that seems to be very common, and out of a bunch of apps I tested, only one broke if I enabled the fallback restriction (which was Avidemux). All the others started up fine, so it seems to be an oversight that it's not enabled. |
Wouldn't that be only if the regular
If you tested the app and it works fine with X11 access disabled, you can create an issue/PR in the repository of that specific Flatpak package |
|
Most apps on flathub for me seem to be having x11 enabled on flathub, usually always when x11 fallback is set. Maybe this is in part due to the confusing naming? It seems like nobody else really seems to fully understand that either. I'm suggesting that it's not clear with x11 & x11 fallback also enabled what exactly is happening, as a non-advanced user. (I know now from this ticket, but I didn't before.) I feel like it's easy to interpret like it has full x11 access, through the x11 base permission, and then even more through the x11 fallback one somehow. It's not clear the fallback is a restriction in this case and that disabling it will grant more permissions, hence me suggesting a different name. |
|
Does the x11-fallback permission take precedence over the regular x11 permission? So when both are enabled, the app will still use Wayland by default? |
|
Oh, doesn't it? I thought it did! Now I don't even know anymore 😂 |
|
Ok, yes, it does:
https://docs.flatpak.org/en/latest/sandbox-permissions.html In that case I agree that the description should probably be changed to something like "Only use X11 when Wayland is unavailable" or "Use Wayland by default, fall back to X11" |
|
The issue with having "only" in the name is that it makes it seem like a purely restrictive permission - but it's only restrictive when the regular x11 permission is enabled, otherwise it only adds extra permissions. Maybe the UI should be changed to have an "Allow X11 windowing system" drop-down with the possible options being "Always", "When not using Wayland" and "Never"? |
|
I like the drop-down suggestion a lot. I propose the option names "Always enabled", "Only when desktop session isn't using Wayland", "Always disabled". (Sorry if this isn't up for debate or change anyway, but I hope this input is useful to someone.) |
|
@ell1e feel free to send a PR changing this particular description to something like |
|
I still think it should be named something like "Allow falling back to X11 but only if Wayland isn't available". Otherwise I don't think how it's less insecure than it currently sounds like is quite clear. |
|
@tchx84 what do you think about my three-way dropdown suggestion? That would indicate that it overrides the regular x11 permission, and would also avoid the problem of having a really long description. The way it would map to Flatpak permissions is like so: "Never":
"When not using Wayland":
"Always":
|
|
(I wasn't asked but: in my personal uninformed opinion that three options solution might work well. Maybe "When not using Wayland" would better be named "When Wayland is unavailable"? But I like it, I think it would be an improvement.) |
It's a good suggestion, when considering this specific case in isolation but, if Flatseal were to move its UI to a situational-inspired UI, it would simply not scale with all other possible situations / combinations. EDIT: I think the best way of moving forward with this is to clarify the messaging, via a better description and documentation. |
|
I see! My preferred order of things would be 1. this solution but maybe a clearer wording like |
|
I didn't understand this setting before you proposed the new title I think it would be nice to indeed change its title, or at least show a tooltip |
|
As a data point for this, a Flatpak user was recently sufficiently confused by the interaction of the As described in flatpak/flatpak#5881 (comment), Flatpak's CLI also presents this confusingly. It's really a tri-state, but the internal representation had to be chosen to provide backwards compatibility. I think it would be better for Flatseal to represent these two permissions as a drop-down with 3 options: that's what is really going on, and I can't think of a non-confusing representation for these two permissions as two independent booleans. The least-bad representation with booleans that I can think of is that if For the record, the interaction between them is:
|
It effectively is a tri-state, but its representation in the metadata is weird. I don't like that, but it was a necessary evil: otherwise, we wouldn't have had backwards compatibility (and it would have taken years for app maintainers to feel that they could safely switch from |
Audacity flatpak de-facto maintainer here. Inherently you are just demonstrating that allowing users to change random settings like that because "OMG it's unsafe" isn't a good idea. By disabling X11 from Audacity you basically disable the ability to display any of the audio plugin UI. This my also lead to crashes. But I guess breaking features is part of the "choice". |
|
@hfiguiere that's the point though, app maintainers enable all required permissions for the app to make it work for everyone, but users can disable some of the permissions if they don't need them Eg. I don't use any audio plugins, so I don't sacrifice anything by disabling X11 and network for Audacity |
|
It would be useful if apps like Audacity could store a comment on why certain permissions are needed that will then show up in flatseal. However, maybe it's just me, but that seems like a somewhat separate issue. The vast majority of apps doesn't seem to truly require X11 anymore these days. Edit: maybe Audacity could detect this on startup and show some sort of warning? If it doesn't do that already. |
It seems as per this discussion that when "Fallback to X11 windowing system" is enabled, with any Wayland desktop session a sandboxed app will be actually truly contained even if it tries X11 shenanigans, since if at launch Wayland is available then unsafe X11 is automatically cut off. This means disabling "Fallback to X11 windowing system" is considerably less safe, which the naming doesn't seem to really convey.
Therefore, I'd suggest the following rename: "Fallback to X11 windowing system" -> "Only allow X11 access if Wayland unavailable"
I'm hoping this might make the implications clearer, both of what it means when it is disabled and the additional security of this option when enabled for Wayland desktop users.
As a side note, a ton of apps on Flathub have both Wayland and X11 enabled, but have this fallback-only option disabled. I have tried enabling it for some like Audacity, Element, or Bluefish, and not only does it lead to way better UI since many apps will otherwise ill-advisedly default to X11, but it doesn't seem to come with any downsides other than worse security. So I wonder if that is a common packaging mistake?
The text was updated successfully, but these errors were encountered: