"--new-session" underadvertised and CVE-2017-5226 still a thing in 2023 by default? #555
Description
Hi!
Thanks for making bubblewrap and sharing it as Software Libre! 🙏
Someone pointed out the importance of --new-session
on Hacker News and I'm in debt to them for speaking up about it both personally and with sandwine. They go on saying:
[..] Bubblewrap is aware of this, yet their documentation gives no indication that this flag is necessary to produce a secure sandbox. In --help, the documentation of --new-session is simply "Create a new terminal session," which severely understates its importance. [..]
I checked the main readme for mentions of --new-session
and found no matches and checked the help output and it doesn't mention security implecations. The man page has something but why check the man page if --help
seemed to answer the questions you new you had. So there really was no place other than Hacker News educating me prior to first usage and I could not even heard of --new-session
still, realistically.
After seeing the CVE-2017-5226 demo from #142 (thanks!) work on my own terminal (scary!), including stealth mode with echo off, I agree that --new-session
needs more user attention and/or become default. Maybe it needs a counter-part --same-session
also so that --new-session
can become the default at some point in the future if #150 is not being implemented — the latest reply there is off 2017. The warning idea from #162 — also of 2017 — will help with user education (which is good) but would come too late if bubblewrap is run behind the scenes rather than manually by the user.
Any chance for motion in that direction?
Thanks and best, Sebastian
Activity