Think Zoom, Teams, google meet etc
When sharing the screen, it can see everything the user sees. Would it be possible to isolate what it sees only to GUI applications ran by the same user? If I run these as an unprivileged user via xhost, they don’t really work well. Sandboxing via bubblewrap requires knowledge beyond my current skills and I’m not sure if it would work.
Has anyone
I almost never share an entire screen, but rather single application windows; when I absolutely must share visual information from multiple applications simultaneously, I create a separate virtual desktop for presenting. Is this not possible?
I know this is possible, but it makes switching different windows a chore. Since I have GUI programs running under different users, I would want the screensharing program to not even be aware that other user’s GUI programs are in the screen
How is it a chore?
Idk what exactly you’re asking for, but this is already an option for me on teams in chrome running under Wayland??? Like when I choose start presenting it pops up a dialog with window options including the whole desktop.
The same window pops up under xorg too.
The difference is that the popup is optional on X. They can also just access the window data directly. On Wayland they have no way to access other windows without asking for permission via the “Portal” popup.
To my knowledge it’s impossible in X, unless you run apps on separate X servers.
Wayland handles this by default, with the exception of Xwayland apps
If I run these as an unprivileged user via xhost, they don’t really work well.
This is not a strong security boundary and in this case is basically doing the opposite of what you want. Giving access to an X session is basically giving the app full access to your user account. As an example they can inject keystrokes to open a terminal and do whatever they want. X also gives every program access to every other program.
Running as a different user will prevent direct access to other resources of your user account which may block some generic malware/spyware that tries to gobble up random files, but keyloggers and screen captures will just work as expected because they use X anyways.
As mentioned in other comments the best solution to this is Wayland. Under Wayland apps don’t have direct access to each other. These apps use “Portals” which are trusted permission prompts. So if you try to share the screen under Wayland you will get a trusted prompt that list all windows, and if you select one the app only gets access to that one selected window.
Although it is worth noting that most apps running under your user account will have pretty broad access. This can be mitigated by sandboxing tools like Flatpak but many available Flatpaks don’t provide much isolation. Carefully check the permissions if isolation is important to you.
And for the truly paranoid anything running under the same kernel is not strongly isolated. It is likely good enough for these partially trusted apps like Zoom or Teams (they are not likely to actually try to exploit your system, just suck up more data than you would like them to) but not strong enough for running completely untrusted programs that may be malicious. You would at least want a VM boundary (see Qubes OS) or ideally different physical hardware.
Another good option is running these in a browser. Browsers are designed from the ground up to run untrusted software safely. Google Meet works perfectly in the browser and Zoom has all of the core functionality available. (I don’t use MS Teams so can’t vouch for it.) This is my main approach to isolating proprietary software as it is reliable and I also value features such as cross-platform usage. Half of these programs just run Electron anyways so running in my main browser will use less resources and be faster than running 7 different Chromium processes.
Thank you for the explanation
So wayland fixes most of these. Is it possible to run GUI programs as another user just like in X with xhost though ? I’m asking not only from a security point, but as a practical one since I need to run the same program under different namespaces/users
I can’t way I have tried. But Wayland uses a socket, so many you can set file permissions to let other users access it?
I don’t know what your exact use case is but if you just want programs to have different “profiles” you can probably do something like setting
$HOME
to point somewhere else or otherwise configure their data directory.
deleted by creator
You could pass through one GPU to a VM running zoom if you wanted to get hardcore.
https://obsproject.com/forum/threads/solved-record-multiple-windows-but-not-all.106931/
in addition to windowed projector (creates window of what obs would be streaming)
A but hacky, and a pain to set up past 2 windows, but it works. I do this, creating a windowed projector, and then just share only that window.